From 7e05b622ba295a65d95edb905c82dabbc213d507 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 29 May 2024 15:20:45 +0200 Subject: lib: add internal _nla_len() helper nla_len() has no valid reason to fail or return a negative number. Callers are not allowed to call this on an invalid structure. They usually would call nla_validate() first. However, as it returns a signed "int", coverity assumes that in some cases the value could be negative. That results in coverity warning like Error: INTEGER_OVERFLOW (CWE-190): libnl-3.9.0/lib/route/nh.c:339: tainted_data_return: Called function "nla_len(tb[NHA_GROUP])", and a possible return value may be less than zero. libnl-3.9.0/lib/route/nh.c:339: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow. libnl-3.9.0/lib/route/nh.c:340: overflow: The expression "len / 8UL" is deemed underflowed because at least one of its arguments has underflowed. libnl-3.9.0/lib/route/nh.c:340: cast_overflow: An assign that casts to a different type, which might trigger an overflow. libnl-3.9.0/lib/route/nh.c:342: overflow_sink: "size", which might have underflowed, is passed to "rtnl_nh_grp_info(size, (struct nexthop_grp const *)data, &nh_group)". # 340| size = len / sizeof(struct nexthop_grp); # 341| # 342|-> err = rtnl_nh_grp_info(size, (const struct nexthop_grp *)data, # 343| &nh_group); # 344| if (err < 0) { Add an internal _nla_len() with an API that clearly cannot return negative values. Also, add _nl_assert() which in debug builds do some consistency checks on the argument. https://issues.redhat.com/browse/RHEL-34299 --- include/nl-aux-core/nl-core.h | 8 ++++++++ lib/attr.c | 4 +++- lib/route/nh.c | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/nl-aux-core/nl-core.h b/include/nl-aux-core/nl-core.h index f75df5c..79cec27 100644 --- a/include/nl-aux-core/nl-core.h +++ b/include/nl-aux-core/nl-core.h @@ -57,4 +57,12 @@ static inline struct nl_addr *_nl_addr_build(int family, const void *buf) return nl_addr_build(family, buf, _nl_addr_family_to_size(family)); } +static inline uint16_t _nla_len(const struct nlattr *nla) +{ + _nl_assert(nla); + _nl_assert(nla->nla_len >= (uint16_t)NLA_HDRLEN); + + return nla->nla_len - (uint16_t)NLA_HDRLEN; +} + #endif /* NETLINK_NL_AUTO_H_ */ diff --git a/lib/attr.c b/lib/attr.c index b8b9837..11805d9 100644 --- a/lib/attr.c +++ b/lib/attr.c @@ -129,7 +129,7 @@ void *nla_data(const struct nlattr *nla) */ int nla_len(const struct nlattr *nla) { - return nla->nla_len - NLA_HDRLEN; + return _nla_len(nla); } /** @@ -146,6 +146,8 @@ int nla_len(const struct nlattr *nla) */ int nla_ok(const struct nlattr *nla, int remaining) { + _NL_STATIC_ASSERT(sizeof(*nla) == NLA_HDRLEN); + return remaining >= (int) sizeof(*nla) && nla->nla_len >= sizeof(*nla) && nla->nla_len <= remaining; diff --git a/lib/route/nh.c b/lib/route/nh.c index 40ce5d4..c63a85f 100644 --- a/lib/route/nh.c +++ b/lib/route/nh.c @@ -336,7 +336,7 @@ static int nexthop_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who, unsigned len; data = nla_data(tb[NHA_GROUP]); - len = nla_len(tb[NHA_GROUP]); + len = _nla_len(tb[NHA_GROUP]); size = len / sizeof(struct nexthop_grp); err = rtnl_nh_grp_info(size, (const struct nexthop_grp *)data, -- cgit v0.12