naccyde / rpms / iproute

Forked from rpms/iproute 9 months ago
Clone

Blame SOURCES/0043-ip-link-Fix-use-after-free-in-nl_get_ll_addr_len.patch

be97f7
From dcafeb49b2538cc7118cb64f62c685980c106b48 Mon Sep 17 00:00:00 2001
be97f7
From: Phil Sutter <psutter@redhat.com>
be97f7
Date: Tue, 6 Mar 2018 11:35:28 +0100
be97f7
Subject: [PATCH] ip-link: Fix use after free in nl_get_ll_addr_len()
be97f7
be97f7
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1550097
be97f7
Upstream Status: iproute2.git commit 06867c3719587
be97f7
be97f7
commit 06867c371958773e39b4ccac07cfe3e2fff2ea55
be97f7
Author: Phil Sutter <phil@nwl.cc>
be97f7
Date:   Thu Mar 1 10:35:12 2018 +0100
be97f7
be97f7
    ip-link: Fix use after free in nl_get_ll_addr_len()
be97f7
be97f7
    Immediately after freeing the buffer returned from rtnl_talk(), it is
be97f7
    accessed again via pointer in struct rtattr array. This leads to some
be97f7
    builds not allowing to set an interface's MAC address because the
be97f7
    expected length value is garbage.
be97f7
be97f7
    Fixes: 86bf43c7c2fdc ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
be97f7
    Signed-off-by: Phil Sutter <phil@nwl.cc>
be97f7
---
be97f7
 ip/iplink.c | 3 ++-
be97f7
 1 file changed, 2 insertions(+), 1 deletion(-)
be97f7
be97f7
diff --git a/ip/iplink.c b/ip/iplink.c
be97f7
index 193997c..db5b2c9 100644
be97f7
--- a/ip/iplink.c
be97f7
+++ b/ip/iplink.c
be97f7
@@ -268,8 +268,9 @@ static int nl_get_ll_addr_len(unsigned int dev_index)
be97f7
 		return -1;
be97f7
 	}
be97f7
 
be97f7
+	len = RTA_PAYLOAD(tb[IFLA_ADDRESS]);
be97f7
 	free(answer);
be97f7
-	return RTA_PAYLOAD(tb[IFLA_ADDRESS]);
be97f7
+	return len;
be97f7
 }
be97f7
 
be97f7
 static void iplink_parse_vf_vlan_info(int vf, int *argcp, char ***argvp,
be97f7
-- 
be97f7
1.8.3.1
be97f7