blob: 594dd0616afe216fc656804ef320774933742e32 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 6 Feb 2017 22:23:52 +0100
Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
In general, libnl functions are not robust against calling with
invalid arguments. Thus, never call libnl functions with invalid
arguments. In case of nlmsg_reserve() this means never provide
a @len argument that causes overflow.
Still, add an additional safeguard to avoid exploiting such bugs.
Assume that @pad is a trusted, small integer.
Assume that n->nm_size is a valid number of allocated bytes (and thus
much smaller then SIZE_T_MAX).
Assume, that @len may be set to an untrusted value. Then the patch
avoids an integer overflow resulting in reserving too few bytes.
Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
CVE: CVE-2017-0553
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
lib/msg.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/msg.c b/lib/msg.c
index 9af3f3a..3e27d4e 100644
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
size_t nlmsg_len = n->nm_nlh->nlmsg_len;
size_t tlen;
+ if (len > n->nm_size)
+ return NULL;
+
tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
if ((tlen + nlmsg_len) > n->nm_size)
--
1.9.1
|
