From patchwork Wed Nov 30 22:09:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Max Kunzelmann X-Patchwork-Id: 13060502 X-Patchwork-Delegate: dsahern@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF5DAC4321E for ; Wed, 30 Nov 2022 22:10:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229801AbiK3WKL (ORCPT ); Wed, 30 Nov 2022 17:10:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229879AbiK3WJz (ORCPT ); Wed, 30 Nov 2022 17:09:55 -0500 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95673950C4 for ; Wed, 30 Nov 2022 14:09:22 -0800 (PST) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 4CB14240026 for ; Wed, 30 Nov 2022 23:09:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1669846161; bh=pJ/6D1yVAc1MgADpZwTuHvsRf70ZbYBzpSlzp5JlyzQ=; h=Date:To:From:Subject:Cc:From; b=L0qBXTSeKPBaqUtFBnBFrNDJQY1fMP49liMbgpGKdRWxVGvTx5O6MJRYDIpBq+ObS n0Ys85OJyrH3eYyPNQouyvkBMW5CZmJuONGVhmq1vCl7Y1n2zyBRQGtRqSHa+zOLBQ aVfgezWGdl3J35xUx+a/ojYV64K6yIelFPD29fcb2FfxVRW3BmvcrhVoR8hQXduMbt MDvxe5RhPTJrdnzoW0o5cde5fe4YTfMMTKzLInp6YstA6iUNKDbzD7MFNKNhhjRB+A 2JIv+5OTCjkL5Ceh1Gdk3iFKuLnYykapUk6fQWyjN2Lm4RFFw5WyMLuirOfckQ0bUb +lx44RXzfS6kg== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4NMtf85Srkz6trZ; Wed, 30 Nov 2022 23:09:20 +0100 (CET) Message-ID: <4fe84646-eef5-1a33-5451-11a7800c3c9d@posteo.de> Date: Wed, 30 Nov 2022 22:09:20 +0000 MIME-Version: 1.0 Content-Language: en-US To: netdev@vger.kernel.org From: maxdev@posteo.de Subject: [PATCH] Ensure check of nlmsg length is performed before actual access Cc: BenBE@geshi.org, github@crpykng.de Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org During a brief code review we noticed that the length field expected inside the payload of the message is accessed before it is ensured that the payload is large enough to actually hold this field. The people mentioned in the commit message helped in the overall code review. Kind regards, Max From 89216bacbc44d6719668132626ffd66862be6dfc Mon Sep 17 00:00:00 2001 From: Max Kunzelmann Date: Wed, 23 Mar 2022 20:42:58 +0100 Subject: [PATCH] Ensure check of nlmsg length is performed before actual access Reviewed-by: Benny Baumann Reviewed-by: Robert Geislinger --- lib/libnetlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 9af06232..0fe78943 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -732,13 +732,13 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n) static int rtnl_dump_done(struct nlmsghdr *h, const struct rtnl_dump_filter_arg *a) { - int len = *(int *)NLMSG_DATA(h); - if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) { fprintf(stderr, "DONE truncated\n"); return -1; } + int len = *(int *)NLMSG_DATA(h); + if (len < 0) { errno = -len; -- 2.38.1