| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <b54be39a6f4688613fba5f0b7a1dcad245149b20.1504283683.git.mkubecek@suse.cz>
Date: Fri, 1 Sep 2017 18:39:11 +0200 (CEST)
From: Michal Kubecek <mkubecek@...e.cz>
To: Stephen Hemminger <stephen@...workplumber.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH iproute2 1/2] iplink: check for message truncation in
iplink_get()
If message length exceeds maxlen argument of rtnl_talk(), it is truncated
to maxlen but unlike in the case of truncation to the length of local
buffer in rtnl_talk(), the caller doesn't get any indication of a problem.
In particular, iplink_get() passes the truncated message on and parsing it
results in various warnings and sometimes even a segfault (observed with
"ip link show dev ..." for a NIC with 125 VFs).
Handle message truncation in iplink_get() the same way as truncation in
rtnl_talk() would be handled: return an error.
Signed-off-by: Michal Kubecek <mkubecek@...e.cz>
---
ip/iplink.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ip/iplink.c b/ip/iplink.c
index 5aff2fde38da..790e3a138bb0 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -1040,6 +1040,11 @@ int iplink_get(unsigned int flags, char *name, __u32 filt_mask)
if (rtnl_talk(&rth, &req.n, &answer.n, sizeof(answer)) < 0)
return -2;
+ if (answer.n.nlmsg_len > sizeof(answer.buf)) {
+ fprintf(stderr, "Message truncated from %u to %lu\n",
+ answer.n.nlmsg_len, sizeof(answer.buf));
+ return -2;
+ }
if (brief)
print_linkinfo_brief(NULL, &answer.n, stdout, NULL);
--
2.14.1
Powered by blists - more mailing lists