diff options
| author | Paul Stewart <pstew@google.com> | 2016-10-28 16:31:40 -0700 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-06 17:37:45 -0600 |
| commit | e28c391d6acf955c90f37ecfc3e4f678b1582d67 (patch) | |
| tree | 94bb4655cf3c004cb90e3f3251b58d415fa6dde0 | |
| parent | 19c48c82efd448e310e8151af749c5f6ec5d321b (diff) | |
| download | android_external_libnl-e28c391d6acf955c90f37ecfc3e4f678b1582d67.tar.gz android_external_libnl-e28c391d6acf955c90f37ecfc3e4f678b1582d67.tar.bz2 android_external_libnl-e28c391d6acf955c90f37ecfc3e4f678b1582d67.zip | |
libnl: Check data length in nla_reserve / nla_put
Ensure predictable behavior when negative values are passed
to these methods.
Bug: 32255299
Change-Id: I14d2e4a65e5b208554821f9d3ed4e3244464dfd6
Test: Recompile (integration tests will also run)
(cherry picked from commit f01b03b81ab86d2b4c0f874a438ff672d9fcc191)
(cherry picked from commit b139feb88f434bf502d18cad113b4fed405f2c35)
| -rw-r--r-- | lib/attr.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -800,6 +800,9 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen) struct nlattr *nla; int tlen; + if (attrlen < 0) + return NULL; + tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen); if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size) @@ -838,6 +841,9 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data) { struct nlattr *nla; + if (datalen < 0) + return -NLE_RANGE; + nla = nla_reserve(msg, attrtype, datalen); if (!nla) return -NLE_NOMEM; |