From: Cheoleun Moon Date: Tue, 3 Sep 2019 01:22:12 +0000 (+0900) Subject: lib: check for integer-overflow in nlmsg_reserve() X-Git-Tag: accepted/tizen/5.5/unified/20191031.011104^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Faccepted%2Ftizen_5.5_unified;p=platform%2Fupstream%2Flibnl3.git lib: check for integer-overflow in nlmsg_reserve() In general, libnl functions are not robust against calling with invalid arguments. Thus, never call libnl functions with invalid arguments. In case of nlmsg_reserve() this means never provide a @len argument that causes overflow. Still, add an additional safeguard to avoid exploiting such bugs. Assume that @pad is a trusted, small integer. Assume that n->nm_size is a valid number of allocated bytes (and thus much smaller then SIZE_T_MAX). Assume, that @len may be set to an untrusted value. Then the patch avoids an integer overflow resulting in reserving too few bytes. http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Fix CVE-2017-0553 Change-Id: Ia9ad5040d866d2cc4c1c76eac5275d66edda338b Signed-off-by: Cheoleun Moon --- diff --git a/lib/msg.c b/lib/msg.c index 6478507..b30b90a 100644 --- a/lib/msg.c +++ b/lib/msg.c @@ -415,6 +415,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) size_t nlmsg_len = n->nm_nlh->nlmsg_len; size_t tlen; + if (len > n->nm_size) + return NULL; + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; if ((tlen + nlmsg_len) > n->nm_size)