2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
new file mode 100644
index 0000000000..594dd0616a
--- /dev/null
+++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
@@ -0,0 +1,43 @@
+From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+Still, add an additional safeguard to avoid exploiting such bugs.
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
+CVE: CVE-2017-0553
+Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/lib/msg.c b/lib/msg.c
+index 9af3f3a..3e27d4e 100644
+--- a/lib/msg.c
+++ b/lib/msg.c
+@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+        size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+        size_t tlen;
+ 
+       if (len > n->nm_size)
+               return NULL;
+
+        tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+ 
+        if ((tlen + nlmsg_len) > n->nm_size)
+-- 
+1.9.1
diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb
index 7d4839ba50..4ce80e871b 100644
--- a/meta/recipes-support/libnl/libnl_3.2.29.bb
+++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
@@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
 SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
           file://fix-pktloc_syntax_h-race.patch \
           file://fix-pc-file.patch \
+           file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
 "
 UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
 SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe"

diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch new file mode 100644 index 0000000000..594dd0616a --- /dev/null +++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
@@ -0,0 +1,43 @@
		1	From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
		2	From: Thomas Haller <thaller@redhat.com>
		3	Date: Mon, 6 Feb 2017 22:23:52 +0100
		4	Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
		5
		6	In general, libnl functions are not robust against calling with
		7	invalid arguments. Thus, never call libnl functions with invalid
		8	arguments. In case of nlmsg_reserve() this means never provide
		9	a @len argument that causes overflow.
		10
		11	Still, add an additional safeguard to avoid exploiting such bugs.
		12
		13	Assume that @pad is a trusted, small integer.
		14	Assume that n->nm_size is a valid number of allocated bytes (and thus
		15	much smaller then SIZE_T_MAX).
		16	Assume, that @len may be set to an untrusted value. Then the patch
		17	avoids an integer overflow resulting in reserving too few bytes.
		18
		19	Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
		20	CVE: CVE-2017-0553
		21
		22	Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
		23	---
		24	lib/msg.c \| 3 +++
		25	1 file changed, 3 insertions(+)
		26
		27	diff --git a/lib/msg.c b/lib/msg.c
		28	index 9af3f3a..3e27d4e 100644
		29	--- a/lib/msg.c
		30	+++ b/lib/msg.c
		31	@@ -411,6 +411,9 @@ void nlmsg_reserve(struct nl_msg n, size_t len, int pad)
		32	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
		33	size_t tlen;
		34
		35	+ if (len > n->nm_size)
		36	+ return NULL;
		37	+
		38	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
		39
		40	if ((tlen + nlmsg_len) > n->nm_size)
		41	--
		42	1.9.1
		43


diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb index 7d4839ba50..4ce80e871b 100644 --- a/meta/recipes-support/libnl/libnl_3.2.29.bb +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
@@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
12	SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \	12	SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
13	file://fix-pktloc_syntax_h-race.patch \	13	file://fix-pktloc_syntax_h-race.patch \
14	file://fix-pc-file.patch \	14	file://fix-pc-file.patch \
		15	file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
15	"	16	"
		17
16	UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"	18	UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
17		19
18	SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe"	20	SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe"