projects / platform / upstream / libnl3.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bec3ed0)
lib: check for integer-overflow in nlmsg_reserve() 06/213206/1 accepted/tizen_5.5_unified accepted/tizen_5.5_unified_mobile_hotfix accepted/tizen_5.5_unified_wearable_hotfix accepted/tizen_6.0_unified accepted/tizen_6.0_unified_hotfix accepted/tizen_6.5_base accepted/tizen_7.0_base_hotfix accepted/tizen_unified tizen tizen_5.5 tizen_5.5_mobile_hotfix tizen_5.5_tv tizen_5.5_wearable_hotfix tizen_6.0 tizen_6.0_hotfix tizen_6.5_base tizen_7.0_base_hotfix accepted/tizen/5.5/unified/20191031.011104 accepted/tizen/5.5/unified/mobile/hotfix/20201027.073805 accepted/tizen/5.5/unified/wearable/hotfix/20201027.100119 accepted/tizen/6.0/unified/20201030.110255 accepted/tizen/6.0/unified/hotfix/20201102.234707 accepted/tizen/6.0/unified/hotfix/20201103.050847 accepted/tizen/6.5/base/20211028.060235 accepted/tizen/7.0/base/20221116.025910 accepted/tizen/7.0/base/hotfix/20221116.055319 accepted/tizen/base/20210823.102905 accepted/tizen/base/20221115.103746 accepted/tizen/unified/20190903.110912 submit/tizen/20190903.054700 submit/tizen/20210823.081025 submit/tizen_5.5/20191031.000007 submit/tizen_5.5_mobile_hotfix/20201026.185107 submit/tizen_5.5_wearable_hotfix/20201026.184307 submit/tizen_6.0/20201029.205502 submit/tizen_6.0_hotfix/20201102.192902 submit/tizen_6.0_hotfix/20201103.115102 submit/tizen_6.5_base/20211028.134101 submit/tizen_base/20210823.081241 tizen_5.5.m2_release tizen_6.0.m2_release tizen_6.5.m2_release tizen_7.0_m2_release
authorCheoleun Moon <chleun.moon@samsung.com>
Tue, 3 Sep 2019 01:22:12 +0000 (10:22 +0900)
committerCheoleun Moon <chleun.moon@samsung.com>
Tue, 3 Sep 2019 01:22:17 +0000 (10:22 +0900)
In general, libnl functions are not robust against calling with
invalid arguments. Thus, never call libnl functions with invalid
arguments. In case of nlmsg_reserve() this means never provide
a @len argument that causes overflow.

Still, add an additional safeguard to avoid exploiting such bugs.

Assume that @pad is a trusted, small integer.
Assume that n->nm_size is a valid number of allocated bytes (and thus
much smaller then SIZE_T_MAX).
Assume, that @len may be set to an untrusted value. Then the patch
avoids an integer overflow resulting in reserving too few bytes.

http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
Fix CVE-2017-0553

Change-Id: Ia9ad5040d866d2cc4c1c76eac5275d66edda338b
Signed-off-by: Cheoleun Moon <chleun.moon@samsung.com>
lib/msg.c patch | blob | history

diff --git a/lib/msg.c b/lib/msg.c
index 6478507..b30b90a 100644 (file)
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -415,6 +415,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
        size_t nlmsg_len = n->nm_nlh->nlmsg_len;
        size_t tlen;
 
+       if (len > n->nm_size)
+               return NULL;
+
        tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
 
        if ((tlen + nlmsg_len) > n->nm_size)
Domain: Network & Connectivity / Data Network;