diff options
author | Paul Stewart <pstew@google.com> | 2017-02-02 12:02:47 -0800 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-06 17:37:59 -0600 |
commit | c42c9a1ab58532c8ff9f65fb477704e51a8420bc (patch) | |
tree | aa79a017ad8c59d64f7c5a60ac2614868c03ed1c | |
parent | e28c391d6acf955c90f37ecfc3e4f678b1582d67 (diff) | |
download | android_external_libnl-cm-13.0.tar.gz android_external_libnl-cm-13.0.tar.bz2 android_external_libnl-cm-13.0.zip |
Perform range check on len in nlmsg_reserveHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004replicant-6.0-0003replicant-6.0-0002replicant-6.0-0001cm-13.0
Bug: 32342065
Test: Compile
AOSP-Change-Id: I2ef3d63f0910120721c1448eb7d4d64bcec71009
CVE-2017-0553
Change-Id: Icdae3fca1e26c6d4ef1227c0059ed980d847e192
(cherry picked from commit f83d9c1c67b6be69a96995e384f50b572b667df0)
-rw-r--r-- | lib/msg.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -518,6 +518,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) size_t nlmsg_len = n->nm_nlh->nlmsg_len; size_t tlen; + if (len > n->nm_size) + return NULL; + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; if ((tlen + nlmsg_len) > n->nm_size) |