From f83d9c1c67b6be69a96995e384f50b572b667df0 Mon Sep 17 00:00:00 2001
From: Paul Stewart <pstew@google.com>
Date: Thu, 2 Feb 2017 12:02:47 -0800
Subject: Perform range check on len in nlmsg_reserve

Bug: 32342065
Test: Compile
Change-Id: I2ef3d63f0910120721c1448eb7d4d64bcec71009
---
 lib/msg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/msg.c b/lib/msg.c
index 9fe9d541..91b86cbd 100644
--- a/lib/msg.c
+++ b/lib/msg.c
@@ -518,6 +518,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
 	size_t tlen;
 
+	if (len > n->nm_size)
+		return NULL;
+
 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
 
 	if ((tlen + nlmsg_len) > n->nm_size)
-- 
cgit v1.2.3