diff options
author | Paul Stewart <pstew@google.com> | 2016-10-28 16:31:40 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-12-01 14:45:01 -0800 |
commit | f0b40192efd1af977564ed6335d42a8bbdaf650a (patch) | |
tree | 04fa4ac4fae8a79fa7d78ea929090a6f2a726192 | |
parent | 74c5971cb326393625422ddf3be99e8a50e18fc2 (diff) | |
download | libnl-f0b40192efd1af977564ed6335d42a8bbdaf650a.tar.gz |
libnl: Check data length in nla_reserve / nla_putandroid-cts-7.1_r9android-cts-7.1_r8android-cts-7.1_r7android-cts-7.1_r6android-cts-7.1_r5android-cts-7.1_r4android-cts-7.1_r3android-cts-7.1_r29android-cts-7.1_r28android-cts-7.1_r27android-cts-7.1_r26android-cts-7.1_r25android-cts-7.1_r24android-cts-7.1_r23android-cts-7.1_r22android-cts-7.1_r21android-cts-7.1_r20android-cts-7.1_r2android-cts-7.1_r19android-cts-7.1_r18android-cts-7.1_r17android-cts-7.1_r16android-cts-7.1_r15android-cts-7.1_r14android-cts-7.1_r13android-cts-7.1_r12android-cts-7.1_r11android-cts-7.1_r10android-7.1.1_r9android-7.1.1_r8android-7.1.1_r7android-7.1.1_r26android-7.1.1_r25android-7.1.1_r23android-7.1.1_r22android-7.1.1_r21android-7.1.1_r20nougat-mr1-releasenougat-mr1-cts-release
Ensure predictable behavior when negative values are passed
to these methods.
Bug: 32255299
Change-Id: I14d2e4a65e5b208554821f9d3ed4e3244464dfd6
Test: Recompile (integration tests will also run)
(cherry picked from commit f01b03b81ab86d2b4c0f874a438ff672d9fcc191)
-rw-r--r-- | lib/attr.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -800,6 +800,9 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen) struct nlattr *nla; int tlen; + if (attrlen < 0) + return NULL; + tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen); if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size) @@ -838,6 +841,9 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data) { struct nlattr *nla; + if (datalen < 0) + return -NLE_RANGE; + nla = nla_reserve(msg, attrtype, datalen); if (!nla) return -NLE_NOMEM; |