lib: check for integer-overflow in nlmsg_reserve()

In general, libnl functions are not robust against calling with invalid arguments. Thus, never call libnl functions with invalid arguments. In case of nlmsg_reserve() this means never provide a @len argument that causes overflow. Still, add an additional safeguard to avoid exploiting such bugs. Assume that @pad is a trusted, small integer. Assume that n->nm_size is a valid number of allocated bytes (and thus much smaller then SIZE_T_MAX). Assume, that @len may be set to an untrusted value. Then the patch avoids an integer overflow resulting in reserving too few bytes.
author: Thomas Haller <thaller@redhat.com> 2017-02-06 21:23:52 (GMT)
committer: Thomas Haller <thaller@redhat.com> 2017-02-07 11:11:23 (GMT)
commit: 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb (patch)
tree: a560725da6f508cb7f612ee652c08023350f8ea5 /lib
parent: 3dd2a0f26fa59896b4b4a262cf309a4be4aa70d3 (diff)
download: libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.zip
libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.tar.gz
libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/msg.c b/lib/msg.c
index 9af3f3a..3e27d4e 100644
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
 	size_t tlen;
 
+	if (len > n->nm_size)
+		return NULL;
+
 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
 
 	if ((tlen + nlmsg_len) > n->nm_size)
author	Thomas Haller <thaller@redhat.com>	2017-02-06 21:23:52 (GMT)
committer	Thomas Haller <thaller@redhat.com>	2017-02-07 11:11:23 (GMT)
commit	3e18948f17148e6a3c4255bdeaaf01ef6081ceeb (patch)
tree	a560725da6f508cb7f612ee652c08023350f8ea5 /lib
parent	3dd2a0f26fa59896b4b4a262cf309a4be4aa70d3 (diff)
download	libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.zip libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.tar.gz libnl-3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.tar.bz2