48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
From 1a68525f4613b4e02e83d4b8004f22ac7ecbfedf Mon Sep 17 00:00:00 2001
|
|
From: Jiri Pirko <jiri@nvidia.com>
|
|
Date: Thu, 7 Dec 2023 13:53:51 +0100
|
|
Subject: [PATCH] mnl_utils: sanitize incoming netlink payload size in
|
|
callbacks
|
|
|
|
Don't trust the kernel to send payload of certain size. Sanitize that by
|
|
checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and
|
|
only access the payload if it is of required size.
|
|
|
|
Note that for mnlu_cb_stop(), this is happening already for example
|
|
with devlink resource. Kernel sends NLMSG_DONE with zero size payload.
|
|
|
|
Fixes: 049c58539f5d ("devlink: mnlg: Add support for extended ack")
|
|
Fixes: c934da8aaacb ("devlink: mnlg: Catch returned error value of dumpit commands")
|
|
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
|
|
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
|
|
---
|
|
lib/mnl_utils.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c
|
|
index 1c7822282..af5aa4f9e 100644
|
|
--- a/lib/mnl_utils.c
|
|
+++ b/lib/mnl_utils.c
|
|
@@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
|
|
{
|
|
const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh);
|
|
|
|
+ if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err))
|
|
+ return MNL_CB_STOP;
|
|
/* Netlink subsystems returns the errno value with different signess */
|
|
if (err->error < 0)
|
|
errno = -err->error;
|
|
@@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
|
|
|
|
static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data)
|
|
{
|
|
- int len = *(int *)NLMSG_DATA(nlh);
|
|
+ int len;
|
|
|
|
+ if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len))
|
|
+ return MNL_CB_STOP;
|
|
+ len = *(int *)mnl_nlmsg_get_payload(nlh);
|
|
if (len < 0) {
|
|
errno = -len;
|
|
nl_dump_ext_ack_done(nlh, len);
|