From e6a0e0d1413a2cfb17be8374d82a1db555fd5ec2 Mon Sep 17 00:00:00 2001 From: Stephen Worley Date: Thu, 26 Jul 2018 16:12:05 -0400 Subject: [PATCH] zebra: Check for netlink message next fault NLMSG_NEXT decrements the buffer length (status) by the header msg length (nlmsg_len) everytime its called. If nlmsg_len isn't accurate and set to be larger than what it should represent, it will cause status to decrement passed 0. This makes NLMSG_NEXT return a pointer that references an inaccessible address. When that is passed to NLMSG_OK, it segfaults. Add a check to verify that there is still something to read before we try to. Signed-off-by: Stephen Worley --- zebra/kernel_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c index 8703b0131..cd881dcc2 100644 --- a/zebra/kernel_netlink.c +++ b/zebra/kernel_netlink.c @@ -638,7 +638,7 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), read_in++; for (h = (struct nlmsghdr *)buf; - NLMSG_OK(h, (unsigned int)status); + (status >= 0 && NLMSG_OK(h, (unsigned int)status)); h = NLMSG_NEXT(h, status)) { /* Finish of reading. */ if (h->nlmsg_type == NLMSG_DONE) -- 2.39.2