|
 |
bc8210 |
From 4c39012783e0e376603138dddae9cd876bdd01ce Mon Sep 17 00:00:00 2001
|
|
|
bc8210 |
From: Thomas Haller <thaller@redhat.com>
|
|
|
bc8210 |
Date: Mon, 6 Feb 2017 22:23:52 +0100
|
|
|
bc8210 |
Subject: [PATCH 1/2] lib: check for integer-overflow in nlmsg_reserve()
|
|
|
bc8210 |
|
|
|
bc8210 |
In general, libnl functions are not robust against calling with
|
|
|
bc8210 |
invalid arguments. Thus, never call libnl functions with invalid
|
|
|
bc8210 |
arguments. In case of nlmsg_reserve() this means never provide
|
|
|
bc8210 |
a @len argument that causes overflow.
|
|
|
bc8210 |
|
|
|
bc8210 |
Still, add an additional safeguard to avoid exploiting such bugs.
|
|
|
bc8210 |
|
|
|
bc8210 |
Assume that @pad is a trusted, small integer.
|
|
|
bc8210 |
Assume that n->nm_size is a valid number of allocated bytes (and thus
|
|
|
bc8210 |
much smaller then SIZE_T_MAX).
|
|
|
bc8210 |
Assume, that @len may be set to an untrusted value. Then the patch
|
|
|
bc8210 |
avoids an integer overflow resulting in reserving too few bytes.
|
|
|
bc8210 |
|
|
|
bc8210 |
(cherry picked from commit 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb)
|
|
|
bc8210 |
---
|
|
|
bc8210 |
lib/msg.c | 3 +++
|
|
|
bc8210 |
1 file changed, 3 insertions(+)
|
|
|
bc8210 |
|
|
|
bc8210 |
diff --git a/lib/msg.c b/lib/msg.c
|
|
|
bc8210 |
index e8a7e99..f30fd2d 100644
|
|
|
bc8210 |
--- a/lib/msg.c
|
|
|
bc8210 |
+++ b/lib/msg.c
|
|
|
bc8210 |
@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
|
|
|
bc8210 |
size_t nlmsg_len = n->nm_nlh->nlmsg_len;
|
|
|
bc8210 |
size_t tlen;
|
|
|
bc8210 |
|
|
|
bc8210 |
+ if (len > n->nm_size)
|
|
|
bc8210 |
+ return NULL;
|
|
|
bc8210 |
+
|
|
|
bc8210 |
tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
|
|
|
bc8210 |
|
|
|
bc8210 |
if ((tlen + nlmsg_len) > n->nm_size)
|
|
|
bc8210 |
--
|
|
|
bc8210 |
2.9.3
|
|
|
bc8210 |
|
|
|
bc8210 |
|
|
|
bc8210 |
From 1b347b7e5892eac5ea71090b8ec6c08756b0dcd4 Mon Sep 17 00:00:00 2001
|
|
|
bc8210 |
From: Thomas Haller <thaller@redhat.com>
|
|
|
bc8210 |
Date: Wed, 18 Jan 2017 11:59:23 +0100
|
|
|
bc8210 |
Subject: [PATCH 2/2] lib/attr.c: check for valid length argument in
|
|
|
bc8210 |
nla_reserve()
|
|
|
bc8210 |
|
|
|
bc8210 |
https://github.com/thom311/libnl/issues/124
|
|
|
bc8210 |
(cherry picked from commit c473d59f972c35c5a7363d52ee6ee1e0792de0f8)
|
|
|
bc8210 |
---
|
|
|
bc8210 |
lib/attr.c | 11 +++++++++--
|
|
|
bc8210 |
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
|
bc8210 |
|
|
|
bc8210 |
diff --git a/lib/attr.c b/lib/attr.c
|
|
|
bc8210 |
index a3d1b16..0dca3ec 100644
|
|
|
bc8210 |
--- a/lib/attr.c
|
|
|
bc8210 |
+++ b/lib/attr.c
|
|
|
bc8210 |
@@ -457,7 +457,10 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
|
|
|
bc8210 |
{
|
|
|
bc8210 |
struct nlattr *nla;
|
|
|
bc8210 |
int tlen;
|
|
|
bc8210 |
-
|
|
|
bc8210 |
+
|
|
|
bc8210 |
+ if (attrlen < 0)
|
|
|
bc8210 |
+ return NULL;
|
|
|
bc8210 |
+
|
|
|
bc8210 |
tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
|
|
|
bc8210 |
|
|
|
bc8210 |
if (tlen > msg->nm_size)
|
|
|
bc8210 |
@@ -499,8 +502,12 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
|
|
|
bc8210 |
struct nlattr *nla;
|
|
|
bc8210 |
|
|
|
bc8210 |
nla = nla_reserve(msg, attrtype, datalen);
|
|
|
bc8210 |
- if (!nla)
|
|
|
bc8210 |
+ if (!nla) {
|
|
|
bc8210 |
+ if (datalen < 0)
|
|
|
bc8210 |
+ return -NLE_INVAL;
|
|
|
bc8210 |
+
|
|
|
bc8210 |
return -NLE_NOMEM;
|
|
|
bc8210 |
+ }
|
|
|
bc8210 |
|
|
|
bc8210 |
if (datalen > 0) {
|
|
|
bc8210 |
memcpy(nla_data(nla), data, datalen);
|
|
|
bc8210 |
--
|
|
|
bc8210 |
2.9.3
|
|
|
bc8210 |
|