diff options
author | Jiri Pirko <jiri@nvidia.com> | 2023-12-07 13:53:51 +0100 |
---|---|---|
committer | Stephen Hemminger <stephen@networkplumber.org> | 2023-12-08 09:30:11 -0800 |
commit | 1a68525f4613b4e02e83d4b8004f22ac7ecbfedf (patch) | |
tree | c21b222c4c37098433908b5980bcbdf900710cc3 | |
parent | aed89de0e16bd5d58eae18d357a63aa83b4cbf57 (diff) | |
download | iproute2-next-1a68525f4613b4e02e83d4b8004f22ac7ecbfedf.tar.gz |
mnl_utils: sanitize incoming netlink payload size in callbacks
Don't trust the kernel to send payload of certain size. Sanitize that by
checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and
only access the payload if it is of required size.
Note that for mnlu_cb_stop(), this is happening already for example
with devlink resource. Kernel sends NLMSG_DONE with zero size payload.
Fixes: 049c58539f5d ("devlink: mnlg: Add support for extended ack")
Fixes: c934da8aaacb ("devlink: mnlg: Catch returned error value of dumpit commands")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
-rw-r--r-- | lib/mnl_utils.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c index 1c7822282..af5aa4f9e 100644 --- a/lib/mnl_utils.c +++ b/lib/mnl_utils.c @@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) { const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh); + if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err)) + return MNL_CB_STOP; /* Netlink subsystems returns the errno value with different signess */ if (err->error < 0) errno = -err->error; @@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data) { - int len = *(int *)NLMSG_DATA(nlh); + int len; + if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len)) + return MNL_CB_STOP; + len = *(int *)mnl_nlmsg_get_payload(nlh); if (len < 0) { errno = -len; nl_dump_ext_ack_done(nlh, sizeof(int), len); |