| Message ID | 20231207125351.965767-1-jiri@resnulli.us (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 1a68525f4613b4e02e83d4b8004f22ac7ecbfedf |
| Delegated to: | Stephen Hemminger |
| Headers | show |
| Series | [iproute2] mnl_utils: sanitize incoming netlink payload size in callbacks | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
Hello: This patch was applied to iproute2/iproute2.git (main) by Stephen Hemminger <stephen@networkplumber.org>: On Thu, 7 Dec 2023 13:53:51 +0100 you wrote: > From: Jiri Pirko <jiri@nvidia.com> > > Don't trust the kernel to send payload of certain size. Sanitize that by > checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and > only access the payload if it is of required size. > > Note that for mnlu_cb_stop(), this is happening already for example > with devlink resource. Kernel sends NLMSG_DONE with zero size payload. > > [...] Here is the summary with links: - [iproute2] mnl_utils: sanitize incoming netlink payload size in callbacks https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1a68525f4613 You are awesome, thank you!
diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c index 1c78222828ff..af5aa4f9eda4 100644 --- a/lib/mnl_utils.c +++ b/lib/mnl_utils.c @@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) { const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh); + if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err)) + return MNL_CB_STOP; /* Netlink subsystems returns the errno value with different signess */ if (err->error < 0) errno = -err->error; @@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data) { - int len = *(int *)NLMSG_DATA(nlh); + int len; + if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len)) + return MNL_CB_STOP; + len = *(int *)mnl_nlmsg_get_payload(nlh); if (len < 0) { errno = -len; nl_dump_ext_ack_done(nlh, sizeof(int), len);