| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Sep 2018 16:29:28 -0700
From: Mahesh Bandewar <mahesh@...dewar.net>
To: Stephen Hemminger <stephen@...workplumber.org>
Cc: netdev <netdev@...r.kernel.org>,
Mahesh Bandewar <maheshb@...gle.com>
Subject: [PATCH iproute2] iproute2: fix use-after-free
From: Mahesh Bandewar <maheshb@...gle.com>
A local program using iproute2 lib pointed out the issue and looking
at the code it is pretty obvious -
a = (struct nlmsghdr *)b;
...
free(b);
if (a->nlmsg_seq == seq)
...
Fixes: 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
Signed-off-by: Mahesh Bandewar <maheshb@...gle.com>
---
lib/libnetlink.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 928de1dd16d8..016a5f0bcfb6 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -661,17 +661,24 @@ next:
if (l < sizeof(struct nlmsgerr)) {
fprintf(stderr, "ERROR truncated\n");
} else if (!err->error) {
+ unsigned int tmp_seq;
+
/* check messages from kernel */
nl_dump_ext_ack(h, errfn);
- if (answer)
+ tmp_seq = h->nlmsg_seq;
+ if (answer) {
*answer = (struct nlmsghdr *)buf;
- else
+ } else {
free(buf);
- if (h->nlmsg_seq == seq)
+ buf = NULL;
+ }
+ if (tmp_seq == seq) {
return 0;
- else if (i < iovlen)
+ } else if (i < iovlen) {
+ free(buf);
goto next;
+ }
return 0;
}
--
2.19.0.rc2.392.g5ba43deb5a-goog
Powered by blists - more mailing lists