libnl: Check data length in nla_reserve / nla_put am: f01b03b81a am: c198930bbb am: 2df2c5fa22 am: 65f43269a0 am: c7d03e591b am: 1ecc7536e5

am: 5399bd1024 Change-Id: Ib6b8fb50954e04aa889b8dd892f2a8f4367a7849
author: Paul Stewart <pstew@google.com> 2016-11-09 17:57:35 +0000
committer: android-build-merger <android-build-merger@google.com> 2016-11-09 17:57:35 +0000
commit: df24328b6ed8bf39af23959b4237742b414c2dd8 (patch)
tree: 04fa4ac4fae8a79fa7d78ea929090a6f2a726192
parent: 74c5971cb326393625422ddf3be99e8a50e18fc2 (diff)
parent: 5399bd1024679539f5a52ff8c6624ba575ed715c (diff)
download: libnl-df24328b6ed8bf39af23959b4237742b414c2dd8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/attr.c b/lib/attr.c
index 298fbb14..83943307 100644
--- a/lib/attr.c
+++ b/lib/attr.c
@@ -800,6 +800,9 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
 	struct nlattr *nla;
 	int tlen;
 	
+	if (attrlen < 0)
+		return NULL;
+
 	tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
 
 	if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size)
@@ -838,6 +841,9 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
 {
 	struct nlattr *nla;
 
+	if (datalen < 0)
+		return -NLE_RANGE;
+
 	nla = nla_reserve(msg, attrtype, datalen);
 	if (!nla)
 		return -NLE_NOMEM;
author	Paul Stewart <pstew@google.com>	2016-11-09 17:57:35 +0000
committer	android-build-merger <android-build-merger@google.com>	2016-11-09 17:57:35 +0000
commit	df24328b6ed8bf39af23959b4237742b414c2dd8 (patch)
tree	04fa4ac4fae8a79fa7d78ea929090a6f2a726192
parent	74c5971cb326393625422ddf3be99e8a50e18fc2 (diff)
parent	5399bd1024679539f5a52ff8c6624ba575ed715c (diff)
download	libnl-df24328b6ed8bf39af23959b4237742b414c2dd8.tar.gz