|
 |
cd1737 |
From dcafeb49b2538cc7118cb64f62c685980c106b48 Mon Sep 17 00:00:00 2001
|
|
|
cd1737 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
cd1737 |
Date: Tue, 6 Mar 2018 11:35:28 +0100
|
|
|
cd1737 |
Subject: [PATCH] ip-link: Fix use after free in nl_get_ll_addr_len()
|
|
|
cd1737 |
|
|
|
cd1737 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1550097
|
|
|
cd1737 |
Upstream Status: iproute2.git commit 06867c3719587
|
|
|
cd1737 |
|
|
|
cd1737 |
commit 06867c371958773e39b4ccac07cfe3e2fff2ea55
|
|
|
cd1737 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
cd1737 |
Date: Thu Mar 1 10:35:12 2018 +0100
|
|
|
cd1737 |
|
|
|
cd1737 |
ip-link: Fix use after free in nl_get_ll_addr_len()
|
|
|
cd1737 |
|
|
|
cd1737 |
Immediately after freeing the buffer returned from rtnl_talk(), it is
|
|
|
cd1737 |
accessed again via pointer in struct rtattr array. This leads to some
|
|
|
cd1737 |
builds not allowing to set an interface's MAC address because the
|
|
|
cd1737 |
expected length value is garbage.
|
|
|
cd1737 |
|
|
|
cd1737 |
Fixes: 86bf43c7c2fdc ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
|
|
|
cd1737 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
cd1737 |
---
|
|
|
cd1737 |
ip/iplink.c | 3 ++-
|
|
|
cd1737 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
cd1737 |
|
|
|
cd1737 |
diff --git a/ip/iplink.c b/ip/iplink.c
|
|
|
d30c09 |
index 193997cad2a35..db5b2c9645ba8 100644
|
|
|
cd1737 |
--- a/ip/iplink.c
|
|
|
cd1737 |
+++ b/ip/iplink.c
|
|
|
cd1737 |
@@ -268,8 +268,9 @@ static int nl_get_ll_addr_len(unsigned int dev_index)
|
|
|
cd1737 |
return -1;
|
|
|
cd1737 |
}
|
|
|
cd1737 |
|
|
|
cd1737 |
+ len = RTA_PAYLOAD(tb[IFLA_ADDRESS]);
|
|
|
cd1737 |
free(answer);
|
|
|
cd1737 |
- return RTA_PAYLOAD(tb[IFLA_ADDRESS]);
|
|
|
cd1737 |
+ return len;
|
|
|
cd1737 |
}
|
|
|
cd1737 |
|
|
|
cd1737 |
static void iplink_parse_vf_vlan_info(int vf, int *argcp, char ***argvp,
|
|
|
cd1737 |
--
|
|
|
d30c09 |
2.21.0
|
|
|
cd1737 |
|