iproute/SOURCES/0028-libnetlink-fix-use-after-free-of-message-buf.patch
2021-09-09 19:12:39 +00:00

54 lines
1.9 KiB
Diff

From e7c11266309ffa65143455ceefc17fe92d93511c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 25 Oct 2018 12:24:30 +0200
Subject: [PATCH] libnetlink: fix use-after-free of message buf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1602555
Upstream Status: iproute2.git commit 8c50b728b226f
commit 8c50b728b226f6254251282697ce38a72639a6fc
Author: Vlad Buslov <vladbu@mellanox.com>
Date: Mon Oct 8 23:52:26 2018 +0300
libnetlink: fix use-after-free of message buf
In __rtnl_talk_iov() main loop, err is a pointer to memory in dynamically
allocated 'buf' that is used to store netlink messages. If netlink message
is an error message, buf is deallocated before returning with error code.
However, on return err->error code is checked one more time to generate
return value, after memory which err points to has already been
freed. Save error code in temporary variable and use the variable to
generate return value.
Fixes: c60389e4f9ea ("libnetlink: fix leak and using unused memory on error")
Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/libnetlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index f18dcea..a9932d4 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -656,6 +656,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
if (h->nlmsg_type == NLMSG_ERROR) {
struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);
+ int error = err->error;
if (l < sizeof(struct nlmsgerr)) {
fprintf(stderr, "ERROR truncated\n");
@@ -679,7 +680,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
else
free(buf);
- return err->error ? -i : 0;
+ return error ? -i : 0;
}
if (answer) {
--
1.8.3.1