From: Stephen Worley Date: Thu, 26 Jul 2018 20:12:05 +0000 (-0400) Subject: zebra: Check for netlink message next fault X-Git-Tag: frr-6.1-dev~124^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F2735%2Fhead;p=mirror%2Ffrr.git zebra: Check for netlink message next fault NLMSG_NEXT decrements the buffer length (status) by the header msg length (nlmsg_len) everytime its called. If nlmsg_len isn't accurate and set to be larger than what it should represent, it will cause status to decrement passed 0. This makes NLMSG_NEXT return a pointer that references an inaccessible address. When that is passed to NLMSG_OK, it segfaults. Add a check to verify that there is still something to read before we try to. Signed-off-by: Stephen Worley --- diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c index 8703b01319..cd881dcc24 100644 --- a/zebra/kernel_netlink.c +++ b/zebra/kernel_netlink.c @@ -638,7 +638,7 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), read_in++; for (h = (struct nlmsghdr *)buf; - NLMSG_OK(h, (unsigned int)status); + (status >= 0 && NLMSG_OK(h, (unsigned int)status)); h = NLMSG_NEXT(h, status)) { /* Finish of reading. */ if (h->nlmsg_type == NLMSG_DONE)