From: maxdev@posteo.de
To: netdev@vger.kernel.org
Cc: BenBE@geshi.org, github@crpykng.de
Subject: [PATCH] Ensure check of nlmsg length is performed before actual access
Date: Wed, 30 Nov 2022 22:09:20 +0000 [thread overview]
Message-ID: <4fe84646-eef5-1a33-5451-11a7800c3c9d@posteo.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 298 bytes --]
During a brief code review we noticed that the length field expected
inside the payload of the message is accessed before it is ensured that
the payload is large enough to actually hold this field.
The people mentioned in the commit message helped in the overall code
review.
Kind regards,
Max
[-- Attachment #2: 0001-Ensure-check-of-nlmsg-length-is-performed-before-act.patch --]
[-- Type: text/x-patch, Size: 952 bytes --]
From 89216bacbc44d6719668132626ffd66862be6dfc Mon Sep 17 00:00:00 2001
From: Max Kunzelmann <maxdev@posteo.de>
Date: Wed, 23 Mar 2022 20:42:58 +0100
Subject: [PATCH] Ensure check of nlmsg length is performed before actual
access
Reviewed-by: Benny Baumann <BenBE@geshi.org>
Reviewed-by: Robert Geislinger <github@crpykng.de>
---
lib/libnetlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 9af06232..0fe78943 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -732,13 +732,13 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n)
static int rtnl_dump_done(struct nlmsghdr *h,
const struct rtnl_dump_filter_arg *a)
{
- int len = *(int *)NLMSG_DATA(h);
-
if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) {
fprintf(stderr, "DONE truncated\n");
return -1;
}
+ int len = *(int *)NLMSG_DATA(h);
+
if (len < 0) {
errno = -len;
--
2.38.1
next reply other threads:[~2022-11-30 22:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 22:09 maxdev [this message]
2022-11-30 22:17 ` [PATCH] Ensure check of nlmsg length is performed before actual access Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fe84646-eef5-1a33-5451-11a7800c3c9d@posteo.de \
--to=maxdev@posteo.de \
--cc=BenBE@geshi.org \
--cc=github@crpykng.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.