diff --git a/SOURCES/0003-nl-reserve-integer-overflow-rh1442723.patch b/SOURCES/0003-nl-reserve-integer-overflow-rh1442723.patch new file mode 100644 index 0000000..17df054 --- /dev/null +++ b/SOURCES/0003-nl-reserve-integer-overflow-rh1442723.patch @@ -0,0 +1,86 @@ +From 4c39012783e0e376603138dddae9cd876bdd01ce Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 6 Feb 2017 22:23:52 +0100 +Subject: [PATCH 1/2] lib: check for integer-overflow in nlmsg_reserve() + +In general, libnl functions are not robust against calling with +invalid arguments. Thus, never call libnl functions with invalid +arguments. In case of nlmsg_reserve() this means never provide +a @len argument that causes overflow. + +Still, add an additional safeguard to avoid exploiting such bugs. + +Assume that @pad is a trusted, small integer. +Assume that n->nm_size is a valid number of allocated bytes (and thus +much smaller then SIZE_T_MAX). +Assume, that @len may be set to an untrusted value. Then the patch +avoids an integer overflow resulting in reserving too few bytes. + +(cherry picked from commit 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb) +--- + lib/msg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/msg.c b/lib/msg.c +index e8a7e99..f30fd2d 100644 +--- a/lib/msg.c ++++ b/lib/msg.c +@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) + size_t nlmsg_len = n->nm_nlh->nlmsg_len; + size_t tlen; + ++ if (len > n->nm_size) ++ return NULL; ++ + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; + + if ((tlen + nlmsg_len) > n->nm_size) +-- +2.9.3 + + +From 1b347b7e5892eac5ea71090b8ec6c08756b0dcd4 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 18 Jan 2017 11:59:23 +0100 +Subject: [PATCH 2/2] lib/attr.c: check for valid length argument in + nla_reserve() + +https://github.com/thom311/libnl/issues/124 +(cherry picked from commit c473d59f972c35c5a7363d52ee6ee1e0792de0f8) +--- + lib/attr.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/lib/attr.c b/lib/attr.c +index a3d1b16..0dca3ec 100644 +--- a/lib/attr.c ++++ b/lib/attr.c +@@ -457,7 +457,10 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen) + { + struct nlattr *nla; + int tlen; +- ++ ++ if (attrlen < 0) ++ return NULL; ++ + tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen); + + if (tlen > msg->nm_size) +@@ -499,8 +502,12 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data) + struct nlattr *nla; + + nla = nla_reserve(msg, attrtype, datalen); +- if (!nla) ++ if (!nla) { ++ if (datalen < 0) ++ return -NLE_INVAL; ++ + return -NLE_NOMEM; ++ } + + if (datalen > 0) { + memcpy(nla_data(nla), data, datalen); +-- +2.9.3 + diff --git a/SPECS/libnl3.spec b/SPECS/libnl3.spec index 3931bfd..0d66b5e 100644 --- a/SPECS/libnl3.spec +++ b/SPECS/libnl3.spec @@ -1,6 +1,6 @@ Name: libnl3 Version: 3.2.28 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Convenience library for kernel netlink sockets Group: Development/Libraries License: LGPLv2 @@ -13,6 +13,7 @@ Source1: http://www.infradead.org/~tgr/libnl/files/libnl-doc-%{fullversion}.tar. Patch1: 0001-compare-v4-addr-rh1370503.patch Patch2: 0002-msg-peek-by-default-rh1396882.patch +Patch3: 0003-nl-reserve-integer-overflow-rh1442723.patch BuildRequires: flex bison BuildRequires: python @@ -54,6 +55,7 @@ This package contains libnl3 API documentation %setup -q -n libnl-%{fullversion} %patch1 -p1 %patch2 -p1 +%patch3 -p1 tar -xzf %SOURCE1 @@ -125,6 +127,9 @@ make check %doc libnl-doc-%{fullversion}/api/* %changelog +* Tue Apr 18 2017 Thomas Haller - 3.2.28-4 +* lib: check for integer overflow in nl_reserve() (rh#1440788, rh#1442723) + * Mon Jan 9 2017 Thomas Haller - 3.2.28-3 - lib: use MSG_PEEK by default for nl_msgrecvs() (rh#1396882)