Netlink: Fix handling of RTAX_CC_ALGO netlink attribute

The kernel-provided congestion control algorithm (RTAX_CC_ALGO) is stored in
an EAF_TYPE_STRING adata blob without the terminating NULL. When exporting
metrics back to netlink, the value is treated as a C string and passed to
nl_add_attr_str(), which uses strlen(str)+1. This may read past the allocated
adata and leak adjacent memory or crash.

Minor change by committer.

diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c
index 299f132fec9192d0e887c2ba9ebb15eedab7f13b..8be5112c462b7b754b0cf365b9072eff9a36e1d4 100644 (file)
--- a/sysdep/linux/netlink.c
+++ b/sysdep/linux/netlink.c
@@ -1876,7 +1876,7 @@ nl_parse_route(struct nl_parse_state *s, struct nlmsghdr *h)
            }
           else if (t == RTAX_CC_ALGO)
            {
-             struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo));
+             struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo) + 1);
              memcpy(ad->data, cc_algo, ad->length);
 
              ea->attrs[n++] = (eattr) {