CVE-2024-27414

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back<br /> <br /> In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks<br /> IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic<br /> in the function `rtnl_bridge_setlink` to enable the loop to also check<br /> the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment<br /> removed the `break` statement and led to an error logic of the flags<br /> writing back at the end of this function.<br /> <br /> if (have_flags)<br /> memcpy(nla_data(attr), &amp;flags, sizeof(flags));<br /> // attr should point to IFLA_BRIDGE_FLAGS NLA !!!<br /> <br /> Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.<br /> However, this is not necessarily true fow now as the updated loop will let<br /> the attr point to the last NLA, even an invalid NLA which could cause<br /> overflow writes.<br /> <br /> This patch introduces a new variable `br_flag` to save the NLA pointer<br /> that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned<br /> error logic.