From patchwork Tue Nov 7 01:20:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Max Kunzelmann X-Patchwork-Id: 13447645 X-Patchwork-Delegate: stephen@networkplumber.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70B8017C7 for ; Tue, 7 Nov 2023 01:22:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=posteo.de header.i=@posteo.de header.b="SPZJxXyu" Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1850103 for ; Mon, 6 Nov 2023 17:22:32 -0800 (PST) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 757BA240027 for ; Tue, 7 Nov 2023 02:22:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1699320151; bh=CZQ06YgnfpGiCUCYkYEdsye/GTLnq2HQ7pypTmh8jGs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version: Content-Transfer-Encoding:From; b=SPZJxXyu5L4i2VxrX4XikeFUfFFNuOxXTWUgR8XpNbNwR17cS7W7e3itTLNOW7ZPt AnM0/CYZFjUYYWQFfeEJM3xj68u0uzSC/PkProAzWRBoZ1kofd8yTFffP5fF5E3zVQ bCk/xvmfoRtQpLxXdxaLNY4/S83Sxvy5wgSg44OLJjhl2lYtDd7Snlx8VlO07KSRH2 ddrZ1eO7JehvGTKodIdtSSr1Txw9aDk+IP3Gjbz4v1rVcZrHL8fm1Ly07T+/72ZaRJ Z3oWWB8Rc0NzQu5gSfn+f3EyKBa4g7GYktYN9INUNVaRQUtzMGfUZ+2QtK8iXsGOBP ZFzG8QecOYi2A== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4SPVnf1D8Xz9rxG; Tue, 7 Nov 2023 02:22:30 +0100 (CET) From: Max Kunzelmann To: netdev@vger.kernel.org Cc: stephen@networkplumber.org, dsahern@gmail.com, Max Kunzelmann , Benny Baumann , Robert Geislinger Subject: [PATCH iproute2] libnetlink: validate nlmsg header length first Date: Tue, 7 Nov 2023 01:20:55 +0000 Message-ID: <20231107012147.668074-1-maxdev@posteo.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: dsahern@gmail.com Validate the nlmsg header length before accessing the nlmsg payload length. Fixes: 892a25e286fb ("libnetlink: break up dump function") Signed-off-by: Max Kunzelmann Reviewed-by: Benny Baumann Reviewed-by: Robert Geislinger --- lib/libnetlink.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 7edcd285..01648229 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n) static int rtnl_dump_done(struct nlmsghdr *h, const struct rtnl_dump_filter_arg *a) { - int len = *(int *)NLMSG_DATA(h); + int len; if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) { fprintf(stderr, "DONE truncated\n"); return -1; } + len = *(int *)NLMSG_DATA(h); + if (len < 0) { errno = -len;