diff options
| -rw-r--r-- | meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch | 43 | ||||
| -rw-r--r-- | meta/recipes-support/libnl/libnl_3.2.28.bb | 1 |
2 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch new file mode 100644 index 00000000000..9e22c40c558 --- /dev/null +++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch @@ -0,0 +1,43 @@ +From 1db543374db3e58faacdfd91e5061a8a595ce505 Mon Sep 17 00:00:00 2001 +From: Thomas Haller <thaller@redhat.com> +Date: Mon, 6 Feb 2017 22:23:52 +0100 +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() + +In general, libnl functions are not robust against calling with +invalid arguments. Thus, never call libnl functions with invalid +arguments. In case of nlmsg_reserve() this means never provide +a @len argument that causes overflow. + +Still, add an additional safeguard to avoid exploiting such bugs. + +Assume that @pad is a trusted, small integer. +Assume that n->nm_size is a valid number of allocated bytes (and thus +much smaller then SIZE_T_MAX). +Assume, that @len may be set to an untrusted value. Then the patch +avoids an integer overflow resulting in reserving too few bytes. + +Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb] +CVE: CVE-2017-0553 + +Signed-off-by: Andre McCurdy <armccurdy@gmail.com> +--- + lib/msg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/msg.c b/lib/msg.c +index e8a7e99..f30fd2d 100644 +--- a/lib/msg.c ++++ b/lib/msg.c +@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) + size_t nlmsg_len = n->nm_nlh->nlmsg_len; + size_t tlen; + ++ if (len > n->nm_size) ++ return NULL; ++ + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; + + if ((tlen + nlmsg_len) > n->nm_size) +-- +1.9.1 + diff --git a/meta/recipes-support/libnl/libnl_3.2.28.bb b/meta/recipes-support/libnl/libnl_3.2.28.bb index 26982f3efbc..a74b455ac52 100644 --- a/meta/recipes-support/libnl/libnl_3.2.28.bb +++ b/meta/recipes-support/libnl/libnl_3.2.28.bb @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native" SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV', True).replace('.','_')}/${BP}.tar.gz \ file://fix-pktloc_syntax_h-race.patch \ file://fix-pc-file.patch \ + file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \ file://0001-lib-add-utility-function-nl_strerror_l.patch \ file://0002-lib-switch-to-using-strerror_l-instead-of-strerror_r.patch \ file://0003-src-switch-to-using-strerror_l-instead-of-strerror_r.patch \ |