From 523566d70426aeb2afffada42cbfdd7d4b0f33ee Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 8 Jun 2022 10:50:25 +0200
Subject: rtnl: zero request message headers

For route netlink request messages having a header struct, uc_nl_request()
invokes nlmsg_reserve() to reserve room for the struct data but the
nlmsg_reserve() function only zeroes additional alignment bytes, not the
actual reserved buffer space.

Extend the existing logic to explicitly zero out the reserved header space
in order to avoid sending uninitialized struct member values to the kernel.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 lib/rtnl.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/rtnl.c b/lib/rtnl.c
index b6a3e38..a118544 100644
--- a/lib/rtnl.c
+++ b/lib/rtnl.c
@@ -3121,6 +3121,7 @@ uc_nl_request(uc_vm_t *vm, size_t nargs)
 	int enable = 1, err;
 	struct nl_msg *msg;
 	struct nl_cb *cb;
+	void *buf;
 	size_t i;
 
 	if (ucv_type(cmd) != UC_INTEGER || ucv_int64_get(cmd) < 0 ||
@@ -3168,7 +3169,17 @@ uc_nl_request(uc_vm_t *vm, size_t nargs)
 		err_return(NLE_NOMEM, NULL);
 
 	if (st.spec) {
-		nlmsg_reserve(msg, st.spec->headsize, 0);
+		if (st.spec->headsize) {
+			buf = nlmsg_reserve(msg, st.spec->headsize, 0);
+
+			if (!buf) {
+				nlmsg_free(msg);
+
+				return NULL;
+			}
+
+			memset(buf, 0, st.spec->headsize);
+		}
 
 		if (!uc_nl_parse_attrs(msg, NLMSG_DATA(nlmsg_hdr(msg)), st.spec->attrs, st.spec->nattrs, vm, payload)) {
 			nlmsg_free(msg);
-- 
cgit v1.2.3