mirror of
https://github.com/godotengine/buildroot.git
synced 2026-01-04 06:10:16 +03:00
6826e2ee8a
Patches downloaded from Github are not stable, so bring them in the tree. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
|
|
From: Thomas Haller <thaller@redhat.com>
|
|
Date: Mon, 6 Feb 2017 22:23:52 +0100
|
|
Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
|
|
|
|
In general, libnl functions are not robust against calling with
|
|
invalid arguments. Thus, never call libnl functions with invalid
|
|
arguments. In case of nlmsg_reserve() this means never provide
|
|
a @len argument that causes overflow.
|
|
|
|
Still, add an additional safeguard to avoid exploiting such bugs.
|
|
|
|
Assume that @pad is a trusted, small integer.
|
|
Assume that n->nm_size is a valid number of allocated bytes (and thus
|
|
much smaller then SIZE_T_MAX).
|
|
Assume, that @len may be set to an untrusted value. Then the patch
|
|
avoids an integer overflow resulting in reserving too few bytes.
|
|
|
|
[Upstream commit: https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.patch]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
lib/msg.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/lib/msg.c b/lib/msg.c
|
|
index 9af3f3a0..3e27d4e0 100644
|
|
--- a/lib/msg.c
|
|
+++ b/lib/msg.c
|
|
@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
|
|
size_t nlmsg_len = n->nm_nlh->nlmsg_len;
|
|
size_t tlen;
|
|
|
|
+ if (len > n->nm_size)
|
|
+ return NULL;
|
|
+
|
|
tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
|
|
|
|
if ((tlen + nlmsg_len) > n->nm_size)
|