| From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 |
| From: Thomas Haller <thaller@redhat.com> |
| Date: Mon, 6 Feb 2017 22:23:52 +0100 |
| Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() |
| |
| In general, libnl functions are not robust against calling with |
| invalid arguments. Thus, never call libnl functions with invalid |
| arguments. In case of nlmsg_reserve() this means never provide |
| a @len argument that causes overflow. |
| |
| Still, add an additional safeguard to avoid exploiting such bugs. |
| |
| Assume that @pad is a trusted, small integer. |
| Assume that n->nm_size is a valid number of allocated bytes (and thus |
| much smaller then SIZE_T_MAX). |
| Assume, that @len may be set to an untrusted value. Then the patch |
| avoids an integer overflow resulting in reserving too few bytes. |
| |
| [Upstream commit: https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.patch] |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| lib/msg.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/lib/msg.c b/lib/msg.c |
| index 9af3f3a0..3e27d4e0 100644 |
| --- a/lib/msg.c |
| +++ b/lib/msg.c |
| @@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) |
| size_t nlmsg_len = n->nm_nlh->nlmsg_len; |
| size_t tlen; |
| |
| + if (len > n->nm_size) |
| + return NULL; |
| + |
| tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; |
| |
| if ((tlen + nlmsg_len) > n->nm_size) |
