| Message ID | 20231107012147.668074-1-maxdev@posteo.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 78eebdbc7d2f96b01a18d7db33c1c99266efc4bc |
| Delegated to: | Stephen Hemminger |
| Headers | show |
| Series | [iproute2] libnetlink: validate nlmsg header length first | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
Hello: This patch was applied to iproute2/iproute2.git (main) by Stephen Hemminger <stephen@networkplumber.org>: On Tue, 7 Nov 2023 01:20:55 +0000 you wrote: > Validate the nlmsg header length before accessing the nlmsg payload > length. > > Fixes: 892a25e286fb ("libnetlink: break up dump function") > > Signed-off-by: Max Kunzelmann <maxdev@posteo.de> > Reviewed-by: Benny Baumann <BenBE@geshi.org> > Reviewed-by: Robert Geislinger <github@crpykng.de> > > [...] Here is the summary with links: - [iproute2] libnetlink: validate nlmsg header length first https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=78eebdbc7d2f You are awesome, thank you!
diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 7edcd285..01648229 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n) static int rtnl_dump_done(struct nlmsghdr *h, const struct rtnl_dump_filter_arg *a) { - int len = *(int *)NLMSG_DATA(h); + int len; if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) { fprintf(stderr, "DONE truncated\n"); return -1; } + len = *(int *)NLMSG_DATA(h); + if (len < 0) { errno = -len;
Validate the nlmsg header length before accessing the nlmsg payload length. Fixes: 892a25e286fb ("libnetlink: break up dump function") Signed-off-by: Max Kunzelmann <maxdev@posteo.de> Reviewed-by: Benny Baumann <BenBE@geshi.org> Reviewed-by: Robert Geislinger <github@crpykng.de> --- lib/libnetlink.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)