diff options
author | Cheoleun Moon <chleun.moon@samsung.com> | 2019-09-03 10:22:12 +0900 |
---|---|---|
committer | Cheoleun Moon <chleun.moon@samsung.com> | 2019-09-03 10:22:17 +0900 |
commit | 5daeffd6da4f7984ef759dc8c48170c1497e35fc (patch) | |
tree | 0a9a86bf59ee39f5829d27f2b2ad3be538aee6d3 | |
parent | bec3ed0cd8df9ae71e968f8135b1754a8913aad4 (diff) | |
download | libnl3-accepted/tizen_6.0_unified.tar.gz libnl3-accepted/tizen_6.0_unified.tar.bz2 libnl3-accepted/tizen_6.0_unified.zip |
lib: check for integer-overflow in nlmsg_reserve()HEADtizen_7.0_m2_releasetizen_6.5.m2_releasetizen_6.0.m2_releasetizen_5.5.m2_releasesubmit/tizen_base/20210823.081241submit/tizen_6.5_base/20211028.134101submit/tizen_6.0_hotfix/20201103.115102submit/tizen_6.0_hotfix/20201102.192902submit/tizen_6.0/20201029.205502submit/tizen_5.5_wearable_hotfix/20201026.184307submit/tizen_5.5_mobile_hotfix/20201026.185107submit/tizen_5.5/20191031.000007submit/tizen/20210823.081025submit/tizen/20190903.054700accepted/tizen/unified/20190903.110912accepted/tizen/base/20221115.103746accepted/tizen/base/20210823.102905accepted/tizen/7.0/base/hotfix/20221116.055319accepted/tizen/7.0/base/20221116.025910accepted/tizen/6.5/base/20211028.060235accepted/tizen/6.0/unified/hotfix/20201103.050847accepted/tizen/6.0/unified/hotfix/20201102.234707accepted/tizen/6.0/unified/20201030.110255accepted/tizen/5.5/unified/wearable/hotfix/20201027.100119accepted/tizen/5.5/unified/mobile/hotfix/20201027.073805accepted/tizen/5.5/unified/20191031.011104tizen_7.0_base_hotfixtizen_6.5_basetizen_6.0_hotfixtizen_6.0tizen_5.5_wearable_hotfixtizen_5.5_tvtizen_5.5_mobile_hotfixtizen_5.5tizenaccepted/tizen_unifiedaccepted/tizen_7.0_base_hotfixaccepted/tizen_6.5_baseaccepted/tizen_6.0_unified_hotfixaccepted/tizen_6.0_unifiedaccepted/tizen_5.5_unified_wearable_hotfixaccepted/tizen_5.5_unified_mobile_hotfixaccepted/tizen_5.5_unified
In general, libnl functions are not robust against calling with
invalid arguments. Thus, never call libnl functions with invalid
arguments. In case of nlmsg_reserve() this means never provide
a @len argument that causes overflow.
Still, add an additional safeguard to avoid exploiting such bugs.
Assume that @pad is a trusted, small integer.
Assume that n->nm_size is a valid number of allocated bytes (and thus
much smaller then SIZE_T_MAX).
Assume, that @len may be set to an untrusted value. Then the patch
avoids an integer overflow resulting in reserving too few bytes.
http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
Fix CVE-2017-0553
Change-Id: Ia9ad5040d866d2cc4c1c76eac5275d66edda338b
Signed-off-by: Cheoleun Moon <chleun.moon@samsung.com>
-rw-r--r-- | lib/msg.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -415,6 +415,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) size_t nlmsg_len = n->nm_nlh->nlmsg_len; size_t tlen; + if (len > n->nm_size) + return NULL; + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; if ((tlen + nlmsg_len) > n->nm_size) |