staging: gdm72xx: underflow in netlink_rcv_cb()

If nlh->nlmsg_len is less than ND_IFINDEX_LEN we end up trying to memcpy
a negative size.  I also re-ordered slighty the condition to make it
more uniform.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/gdm72xx/netlink_k.c b/drivers/staging/gdm72xx/netlink_k.c
index 783770b106b3122df9c6e2f4720d8114efbe1b45..984ca40f2bd3146858bc53ea4001d558127c1f1a 100644 (file)
--- a/drivers/staging/gdm72xx/netlink_k.c
+++ b/drivers/staging/gdm72xx/netlink_k.c
@@ -55,7 +55,8 @@ static void netlink_rcv_cb(struct sk_buff *skb)
        if (skb->len >= NLMSG_HDRLEN) {
                nlh = (struct nlmsghdr *)skb->data;
 
-               if (skb->len < nlh->nlmsg_len ||
+               if (nlh->nlmsg_len < ND_IFINDEX_LEN ||
+                   nlh->nlmsg_len > skb->len ||
                    nlh->nlmsg_len > ND_MAX_MSG_LEN) {
                        netdev_err(skb->dev, "Invalid length (%d,%d)\n",
                                   skb->len, nlh->nlmsg_len);