zebra: Check for netlink message next fault

NLMSG_NEXT decrements the buffer length (status) by the header msg length (nlmsg_len) everytime its called. If nlmsg_len isn't accurate and set to be larger than what it should represent, it will cause status to decrement passed 0. This makes NLMSG_NEXT return a pointer that references an inaccessible address. When that is passed to NLMSG_OK, it segfaults. Add a check to verify that there is still something to read before we try to. Signed-off-by: Stephen Worley <sworley@cumulusnetworks.com>
author: Stephen Worley <sworley@cumulusnetworks.com> 2018-07-26 16:12:05 -0400
committer: Stephen Worley <sworley@cumulusnetworks.com> 2018-07-26 16:46:57 -0400
commit: e6a0e0d1413a2cfb17be8374d82a1db555fd5ec2 (patch)
tree: db51b97daf5b53f3cc67f058dca21321c39cd23e /zebra/kernel_netlink.c
parent: 4b22e6bc053fe6349960b279c5bfa47bbba04b56 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 8703b01319..cd881dcc24 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -638,7 +638,7 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
 
 		read_in++;
 		for (h = (struct nlmsghdr *)buf;
-		     NLMSG_OK(h, (unsigned int)status);
+		     (status >= 0 && NLMSG_OK(h, (unsigned int)status));
 		     h = NLMSG_NEXT(h, status)) {
 			/* Finish of reading. */
 			if (h->nlmsg_type == NLMSG_DONE)
author	Stephen Worley <sworley@cumulusnetworks.com>	2018-07-26 16:12:05 -0400
committer	Stephen Worley <sworley@cumulusnetworks.com>	2018-07-26 16:46:57 -0400
commit	e6a0e0d1413a2cfb17be8374d82a1db555fd5ec2 (patch)
tree	db51b97daf5b53f3cc67f058dca21321c39cd23e /zebra/kernel_netlink.c
parent	4b22e6bc053fe6349960b279c5bfa47bbba04b56 (diff)