diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2021-09-15 20:16:20 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2021-09-15 21:09:17 +0200 |
| commit | 7fa10088c93b370e7b9541db05cdfd0c68ea41cd (patch) | |
| tree | 15d9a1ad51bb698aeb649d3cdf617d1a8e8b06bc /lib | |
| parent | cbae3cba1964ebf367dd84524c6403a308302ace (diff) | |
rtnl: allow reply nla payloads to be smaller than headsize
Some netlink replies contain attributes with embeded payloads whose
length depends on the kernel version, e.g. IFLA_INET_CONF and
IFLA_INET6_CONF.
Deal with such cases by allowing the payloads to be shorter than
the expected size and by skipping struct members which would lead
to out-of-bounds accesses.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/rtnl.c | 17 |
1 files changed, 12 insertions, 5 deletions
@@ -1273,8 +1273,8 @@ uc_nl_convert_attr(const uc_nl_attr_spec_t *spec, struct nl_msg *msg, char *base static bool uc_nl_convert_attrs(struct nl_msg *msg, void *buf, size_t buflen, size_t headsize, const uc_nl_attr_spec_t *attrs, size_t nattrs, uc_vm_t *vm, uc_value_t *obj) { + size_t i, maxattr = 0, structlen = headsize; struct nlattr **tb, *nla, *nla_nest; - size_t i, maxattr = 0; uc_value_t *v, *arr; int rem; @@ -1287,9 +1287,15 @@ uc_nl_convert_attrs(struct nl_msg *msg, void *buf, size_t buflen, size_t headsiz if (!tb) return false; - nla_parse(tb, maxattr, buf + headsize, buflen - headsize, NULL); + if (buflen > headsize) + nla_parse(tb, maxattr, buf + headsize, buflen - headsize, NULL); + else + structlen = buflen; for (i = 0; i < nattrs; i++) { + if (attrs[i].attr == 0 && (uintptr_t)attrs[i].auxdata >= structlen) + continue; + if (attrs[i].attr != 0 && !tb[attrs[i].attr]) continue; @@ -1297,6 +1303,10 @@ uc_nl_convert_attrs(struct nl_msg *msg, void *buf, size_t buflen, size_t headsiz continue; if (attrs[i].flags & DF_MULTIPLE) { + /* can't happen, but needed to nudge clang-analyzer */ + if (!tb[attrs[i].attr]) + continue; + arr = ucv_array_new(vm); nla_nest = tb[attrs[i].attr]; @@ -2338,9 +2348,6 @@ uc_nl_convert_rta_nested(const uc_nl_attr_spec_t *spec, struct nl_msg *msg, stru uc_value_t *nested_obj; bool rv; - if (!nla_check_len(tb[spec->attr], nest->headsize)) - return NULL; - nested_obj = ucv_object_new(vm); rv = uc_nl_convert_attrs(msg, |