|
 |
930fb9 |
From 3ec32595e21849de3165d52e1af48ca3bdf51fab Mon Sep 17 00:00:00 2001
|
|
|
930fb9 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
930fb9 |
Date: Thu, 25 Oct 2018 12:24:30 +0200
|
|
|
930fb9 |
Subject: [PATCH] libnetlink: fix leak and using unused memory on error
|
|
|
930fb9 |
|
|
|
930fb9 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1602555
|
|
|
930fb9 |
Upstream Status: iproute2.git commit c60389e4f9ea8
|
|
|
930fb9 |
|
|
|
930fb9 |
commit c60389e4f9ea88d7246dbb148d28791d577fe5b4
|
|
|
930fb9 |
Author: Stephen Hemminger <stephen@networkplumber.org>
|
|
|
930fb9 |
Date: Thu Sep 13 12:33:38 2018 -0700
|
|
|
930fb9 |
|
|
|
930fb9 |
libnetlink: fix leak and using unused memory on error
|
|
|
930fb9 |
|
|
|
930fb9 |
If an error happens in multi-segment message (tc only)
|
|
|
930fb9 |
then report the error and stop processing further responses.
|
|
|
930fb9 |
This also fixes refering to the buffer after free.
|
|
|
930fb9 |
|
|
|
930fb9 |
The sequence check is not necessary here because the
|
|
|
930fb9 |
response message has already been validated to be in
|
|
|
930fb9 |
the window of the sequence number of the iov.
|
|
|
930fb9 |
|
|
|
930fb9 |
Reported-by: Mahesh Bandewar <mahesh@bandewar.net>
|
|
|
930fb9 |
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
|
|
|
930fb9 |
Acked-by: Mahesh Bandewar <maheshb@google.com>
|
|
|
930fb9 |
---
|
|
|
930fb9 |
lib/libnetlink.c | 23 +++++++++--------------
|
|
|
930fb9 |
1 file changed, 9 insertions(+), 14 deletions(-)
|
|
|
930fb9 |
|
|
|
930fb9 |
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
|
|
|
930fb9 |
index 928de1d..5868092 100644
|
|
|
930fb9 |
--- a/lib/libnetlink.c
|
|
|
930fb9 |
+++ b/lib/libnetlink.c
|
|
|
930fb9 |
@@ -617,7 +617,6 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
|
|
|
930fb9 |
msg.msg_iovlen = 1;
|
|
|
930fb9 |
i = 0;
|
|
|
930fb9 |
while (1) {
|
|
|
930fb9 |
-next:
|
|
|
930fb9 |
status = rtnl_recvmsg(rtnl->fd, &msg, &buf;;
|
|
|
930fb9 |
++i;
|
|
|
930fb9 |
|
|
|
930fb9 |
@@ -660,27 +659,23 @@ next:
|
|
|
930fb9 |
|
|
|
930fb9 |
if (l < sizeof(struct nlmsgerr)) {
|
|
|
930fb9 |
fprintf(stderr, "ERROR truncated\n");
|
|
|
930fb9 |
- } else if (!err->error) {
|
|
|
930fb9 |
+ free(buf);
|
|
|
930fb9 |
+ return -1;
|
|
|
930fb9 |
+ }
|
|
|
930fb9 |
+
|
|
|
930fb9 |
+ if (!err->error)
|
|
|
930fb9 |
/* check messages from kernel */
|
|
|
930fb9 |
nl_dump_ext_ack(h, errfn);
|
|
|
930fb9 |
|
|
|
930fb9 |
- if (answer)
|
|
|
930fb9 |
- *answer = (struct nlmsghdr *)buf;
|
|
|
930fb9 |
- else
|
|
|
930fb9 |
- free(buf);
|
|
|
930fb9 |
- if (h->nlmsg_seq == seq)
|
|
|
930fb9 |
- return 0;
|
|
|
930fb9 |
- else if (i < iovlen)
|
|
|
930fb9 |
- goto next;
|
|
|
930fb9 |
- return 0;
|
|
|
930fb9 |
- }
|
|
|
930fb9 |
-
|
|
|
930fb9 |
if (rtnl->proto != NETLINK_SOCK_DIAG &&
|
|
|
930fb9 |
show_rtnl_err)
|
|
|
930fb9 |
rtnl_talk_error(h, err, errfn);
|
|
|
930fb9 |
|
|
|
930fb9 |
errno = -err->error;
|
|
|
930fb9 |
- free(buf);
|
|
|
930fb9 |
+ if (answer)
|
|
|
930fb9 |
+ *answer = (struct nlmsghdr *)buf;
|
|
|
930fb9 |
+ else
|
|
|
930fb9 |
+ free(buf);
|
|
|
930fb9 |
return -i;
|
|
|
930fb9 |
}
|
|
|
930fb9 |
|
|
|
930fb9 |
--
|
|
|
930fb9 |
1.8.3.1
|
|
|
930fb9 |
|