Perform range check on len in nlmsg_reserveHEAD replicant-6.0-0004-transition replicant-6.0-0004-rc6 replicant-6.0-0004-rc5-transition replicant-6.0-0004-rc5 replicant-6.0-0004-rc4 replicant-6.0-0004-rc3 replicant-6.0-0004-rc2 replicant-6.0-0004-rc1 replicant-6.0-0004 replicant-6.0-0003 replicant-6.0-0002 replicant-6.0-0001 cm-13.0

Bug: 32342065 Test: Compile AOSP-Change-Id: I2ef3d63f0910120721c1448eb7d4d64bcec71009 CVE-2017-0553 Change-Id: Icdae3fca1e26c6d4ef1227c0059ed980d847e192 (cherry picked from commit f83d9c1c67b6be69a96995e384f50b572b667df0)
author: Paul Stewart <pstew@google.com> 2017-02-02 12:02:47 -0800
committer: Sean McCreary <mccreary@mcwest.org> 2017-04-06 17:37:59 -0600
commit: c42c9a1ab58532c8ff9f65fb477704e51a8420bc (patch)
tree: aa79a017ad8c59d64f7c5a60ac2614868c03ed1c
parent: e28c391d6acf955c90f37ecfc3e4f678b1582d67 (diff)
download: android_external_libnl-cm-13.0.tar.gz
android_external_libnl-cm-13.0.tar.bz2
android_external_libnl-cm-13.0.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/msg.c b/lib/msg.c
index 9fe9d54..91b86cb 100644
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -518,6 +518,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
 	size_t tlen;
 
+	if (len > n->nm_size)
+		return NULL;
+
 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
 
 	if ((tlen + nlmsg_len) > n->nm_size)
author	Paul Stewart <pstew@google.com>	2017-02-02 12:02:47 -0800
committer	Sean McCreary <mccreary@mcwest.org>	2017-04-06 17:37:59 -0600
commit	c42c9a1ab58532c8ff9f65fb477704e51a8420bc (patch)
tree	aa79a017ad8c59d64f7c5a60ac2614868c03ed1c
parent	e28c391d6acf955c90f37ecfc3e4f678b1582d67 (diff)
download	android_external_libnl-cm-13.0.tar.gz android_external_libnl-cm-13.0.tar.bz2 android_external_libnl-cm-13.0.zip