diff options
author | Max Kunzelmann <maxdev@posteo.de> | 2023-11-07 01:20:55 +0000 |
---|---|---|
committer | Stephen Hemminger <stephen@networkplumber.org> | 2023-11-09 09:03:57 -0800 |
commit | 78eebdbc7d2f96b01a18d7db33c1c99266efc4bc (patch) | |
tree | 16a78b94c273e765d3b4c87ea99a238d98538398 | |
parent | deb66acabe44d103c8368b62a76ef37aa074748d (diff) | |
download | iproute2-78eebdbc7d2f96b01a18d7db33c1c99266efc4bc.tar.gz |
libnetlink: validate nlmsg header length first
Validate the nlmsg header length before accessing the nlmsg payload
length.
Fixes: 892a25e286fb ("libnetlink: break up dump function")
Signed-off-by: Max Kunzelmann <maxdev@posteo.de>
Reviewed-by: Benny Baumann <BenBE@geshi.org>
Reviewed-by: Robert Geislinger <github@crpykng.de>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
-rw-r--r-- | lib/libnetlink.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 7edcd2856..016482294 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n) static int rtnl_dump_done(struct nlmsghdr *h, const struct rtnl_dump_filter_arg *a) { - int len = *(int *)NLMSG_DATA(h); + int len; if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) { fprintf(stderr, "DONE truncated\n"); return -1; } + len = *(int *)NLMSG_DATA(h); + if (len < 0) { errno = -len; |