From fd9d1da28c9d989f88b6c5edaa352c01976f82ac Mon Sep 17 00:00:00 2001 From: Andrey Vagin Date: Mon, 14 Sep 2015 18:59:58 +0300 Subject: libnl: report an error if unexpected control data was received Currently, we try to handle MSG_CTRUNC, but if msg_controllen is zero, we make double free for the same address. realloc(0, 0) returns non-zero address realloc(addr, 0) returns zero and free(addr) has already been called Then we call free(addr) again and get an error like this: *** Error in `./task_diag_all': double free or corruption (fasttop): 0x0000000000f9c160 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x77e9d)[0x7f360ed96e9d] /lib64/libc.so.6(+0x7f53c)[0x7f360ed9e53c] /lib64/libc.so.6(cfree+0x4c)[0x7f360eda2e9c] /lib64/libnl-3.so.200(nl_recv+0x221)[0x7f360f2f6361] /lib64/libnl-3.so.200(nl_recvmsgs_report+0x555)[0x7f360f2f6a95] /lib64/libnl-3.so.200(nl_recvmsgs+0x9)[0x7f360f2f6d89] ./task_diag_all[0x400f8d] /lib64/libc.so.6(__libc_start_main+0xf0)[0x7f360ed3f790] ./task_diag_all[0x401169] http://lists.infradead.org/pipermail/libnl/2015-September/001965.html Signed-off-by: Andrey Vagin Signed-off-by: Thomas Haller --- lib/nl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/nl.c b/lib/nl.c index c93b6a5..cba4217 100644 --- a/lib/nl.c +++ b/lib/nl.c @@ -721,6 +721,13 @@ retry: if (msg.msg_flags & MSG_CTRUNC) { void *tmp; + + if (msg.msg_controllen == 0) { + retval = -NLE_MSG_TRUNC; + NL_DBG(4, "recvmsg(%p): Received unexpected control data", sk); + goto abort; + } + msg.msg_controllen *= 2; tmp = realloc(msg.msg_control, msg.msg_controllen); if (!tmp) { -- cgit v0.12