lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260114104714.78a060b9@phoenix.local>
Date: Wed, 14 Jan 2026 10:47:14 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: Jan Vaclav <jvaclav@...hat.com>
Cc: netdev@...r.kernel.org, Gris Ge <fge@...hat.com>
Subject: Re: [PATCH iproute2] ip/iplink: fix off-by-one KIND length in
 modify()

On Tue, 13 Jan 2026 12:41:27 +0100
Jan Vaclav <jvaclav@...hat.com> wrote:

> The expected size for IFLA_INFO_KIND in kernel is strlen(kind) + 1.
> See `size` in rtnl_link_get_size() in net/core/rtnetlink.c.
> 
> Fixes: 1d93483985f0 ("iplink: use netlink for link configuration")
> Reported-by: Gris Ge <fge@...hat.com>
> Signed-off-by: Jan Vaclav <jvaclav@...hat.com>
> ---

Good catch.
It does raise the issue why IFLA_ALIAS is a binary attribute.

FYI - AI code review agrees.

I'll review this patch by examining all three files you've provided.Now let me provide my review based on the analysis.

---

## Patch Review: `[PATCH iproute2] ip/iplink: fix off-by-one KIND length in modify()`

**Verdict: Patch is correct and should be applied.**

### Analysis

The patch changes:
```c
addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, type,
-         strlen(type));
+         strlen(type) + 1);
```

This is the right fix. Here's why:

**1. Kernel Policy Requires NLA_STRING**

In `rtnetlink.c:2264`:
```c
[IFLA_INFO_KIND]	= { .type = NLA_STRING },
```

The `NLA_STRING` type expects a null-terminated string. The netlink validation layer checks that the last byte is `'\0'`.

**2. Kernel Size Calculation Includes Null Terminator**

In `rtnetlink.c:730` (`rtnl_link_get_size()`):
```c
nla_total_size(strlen(ops->kind) + 1);  /* IFLA_INFO_KIND */
```

The kernel explicitly accounts for `strlen + 1` when calculating buffer sizes for outbound messages.

**3. Kernel Uses `nla_put_string()` for Outbound**

In `rtnetlink.c:889`:
```c
nla_put_string(skb, IFLA_INFO_KIND, ops->kind)
```

`nla_put_string()` includes the null terminator, so kernel-to-userspace messages include it.

**4. Why It Worked Before (Probably)**

The current code likely "works" by accident due to netlink's 4-byte alignment requirements. When `addattr_l()` adds an attribute, padding bytes are typically zeroed. For most type strings, the padding happens to provide the null terminator. But this is unreliable:
- If `strlen(type) % 4 == 0`, no padding is added
- Different `addattr_l` implementations may not zero padding

**5. Contrast with IFLA_IFALIAS**

Interestingly, `IFLA_IFALIAS` at line 796-797 also uses `strlen()` without `+1`, but that's actually correct because the kernel explicitly treats it as `NLA_BINARY` (see `rtnetlink.c:2218-2221`) and uses `nla_len()` directly rather than relying on null termination.

### Minor Comment

The commit message is good - it correctly references the kernel source and includes proper tags. One small enhancement might be to note that this has worked by luck due to alignment padding, but that's optional.

**Reviewed-by: Stephen Hemminger <stephen@...workplumber.org>**

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ