From e7c11266309ffa65143455ceefc17fe92d93511c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 25 Oct 2018 12:24:30 +0200
Subject: [PATCH] libnetlink: fix use-after-free of message buf

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1602555
Upstream Status: iproute2.git commit 8c50b728b226f

commit 8c50b728b226f6254251282697ce38a72639a6fc
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Mon Oct 8 23:52:26 2018 +0300

    libnetlink: fix use-after-free of message buf

    In __rtnl_talk_iov() main loop, err is a pointer to memory in dynamically
    allocated 'buf' that is used to store netlink messages. If netlink message
    is an error message, buf is deallocated before returning with error code.
    However, on return err->error code is checked one more time to generate
    return value, after memory which err points to has already been
    freed. Save error code in temporary variable and use the variable to
    generate return value.

    Fixes: c60389e4f9ea ("libnetlink: fix leak and using unused memory on error")
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/libnetlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index f18dcea..a9932d4 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -656,6 +656,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
 
 			if (h->nlmsg_type == NLMSG_ERROR) {
 				struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);
+				int error = err->error;
 
 				if (l < sizeof(struct nlmsgerr)) {
 					fprintf(stderr, "ERROR truncated\n");
@@ -679,7 +680,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
 				else
 					free(buf);
 
-				return err->error ? -i : 0;
+				return error ? -i : 0;
 			}
 
 			if (answer) {
-- 
1.8.3.1