From: Cheoleun Moon <chleun.moon@samsung.com>
Date: Tue, 3 Sep 2019 01:22:12 +0000 (+0900)
Subject: lib: check for integer-overflow in nlmsg_reserve()
X-Git-Tag: accepted/tizen/5.5/unified/20191031.011104^0
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Flibnl3.git;a=commitdiff_plain

lib: check for integer-overflow in nlmsg_reserve()

In general, libnl functions are not robust against calling with
invalid arguments. Thus, never call libnl functions with invalid
arguments. In case of nlmsg_reserve() this means never provide
a @len argument that causes overflow.

Still, add an additional safeguard to avoid exploiting such bugs.

Assume that @pad is a trusted, small integer.
Assume that n->nm_size is a valid number of allocated bytes (and thus
much smaller then SIZE_T_MAX).
Assume, that @len may be set to an untrusted value. Then the patch
avoids an integer overflow resulting in reserving too few bytes.

http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
Fix CVE-2017-0553

Change-Id: Ia9ad5040d866d2cc4c1c76eac5275d66edda338b
Signed-off-by: Cheoleun Moon <chleun.moon@samsung.com>
---

diff --git a/lib/msg.c b/lib/msg.c
index 6478507..b30b90a 100644
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -415,6 +415,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
 	size_t tlen;
 
+	if (len > n->nm_size)
+		return NULL;
+
 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
 
 	if ((tlen + nlmsg_len) > n->nm_size)