libnl: Check data length in nla_reserve / nla_putandroid-7.1.1_r28 android-7.1.1_r17 android-7.1.1_r13 nougat-mr1.2-release

Ensure predictable behavior when negative values are passed to these methods. Bug: 32255299 Change-Id: I14d2e4a65e5b208554821f9d3ed4e3244464dfd6 Test: Recompile (integration tests will also run) (cherry picked from commit f01b03b81ab86d2b4c0f874a438ff672d9fcc191)
author: Paul Stewart <pstew@google.com> 2016-10-28 16:31:40 -0700
committer: gitbuildkicker <android-build@google.com> 2017-01-03 15:07:08 -0800
commit: 77a7bed5cb1bc350b86be49dc27e5f713480f119 (patch)
tree: 04fa4ac4fae8a79fa7d78ea929090a6f2a726192
parent: 74c5971cb326393625422ddf3be99e8a50e18fc2 (diff)
download: libnl-nougat-mr1.2-release.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/attr.c b/lib/attr.c
index 298fbb14..83943307 100644
--- a/lib/attr.c
+++ b/lib/attr.c
@@ -800,6 +800,9 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
 	struct nlattr *nla;
 	int tlen;
 	
+	if (attrlen < 0)
+		return NULL;
+
 	tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
 
 	if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size)
@@ -838,6 +841,9 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
 {
 	struct nlattr *nla;
 
+	if (datalen < 0)
+		return -NLE_RANGE;
+
 	nla = nla_reserve(msg, attrtype, datalen);
 	if (!nla)
 		return -NLE_NOMEM;
author	Paul Stewart <pstew@google.com>	2016-10-28 16:31:40 -0700
committer	gitbuildkicker <android-build@google.com>	2017-01-03 15:07:08 -0800
commit	77a7bed5cb1bc350b86be49dc27e5f713480f119 (patch)
tree	04fa4ac4fae8a79fa7d78ea929090a6f2a726192
parent	74c5971cb326393625422ddf3be99e8a50e18fc2 (diff)
download	libnl-nougat-mr1.2-release.tar.gz