54 lines
1.9 KiB
Diff
54 lines
1.9 KiB
Diff
From e7c11266309ffa65143455ceefc17fe92d93511c Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Thu, 25 Oct 2018 12:24:30 +0200
|
|
Subject: [PATCH] libnetlink: fix use-after-free of message buf
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1602555
|
|
Upstream Status: iproute2.git commit 8c50b728b226f
|
|
|
|
commit 8c50b728b226f6254251282697ce38a72639a6fc
|
|
Author: Vlad Buslov <vladbu@mellanox.com>
|
|
Date: Mon Oct 8 23:52:26 2018 +0300
|
|
|
|
libnetlink: fix use-after-free of message buf
|
|
|
|
In __rtnl_talk_iov() main loop, err is a pointer to memory in dynamically
|
|
allocated 'buf' that is used to store netlink messages. If netlink message
|
|
is an error message, buf is deallocated before returning with error code.
|
|
However, on return err->error code is checked one more time to generate
|
|
return value, after memory which err points to has already been
|
|
freed. Save error code in temporary variable and use the variable to
|
|
generate return value.
|
|
|
|
Fixes: c60389e4f9ea ("libnetlink: fix leak and using unused memory on error")
|
|
Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
|
|
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
|
|
---
|
|
lib/libnetlink.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
|
|
index f18dcea..a9932d4 100644
|
|
--- a/lib/libnetlink.c
|
|
+++ b/lib/libnetlink.c
|
|
@@ -656,6 +656,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
|
|
|
|
if (h->nlmsg_type == NLMSG_ERROR) {
|
|
struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);
|
|
+ int error = err->error;
|
|
|
|
if (l < sizeof(struct nlmsgerr)) {
|
|
fprintf(stderr, "ERROR truncated\n");
|
|
@@ -679,7 +680,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
|
|
else
|
|
free(buf);
|
|
|
|
- return err->error ? -i : 0;
|
|
+ return error ? -i : 0;
|
|
}
|
|
|
|
if (answer) {
|
|
--
|
|
1.8.3.1
|
|
|