mnl_utils: sanitize incoming netlink payload size in callbacks

Don't trust the kernel to send payload of certain size. Sanitize that by
checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and
only access the payload if it is of required size.

Note that for mnlu_cb_stop(), this is happening already for example
with devlink resource. Kernel sends NLMSG_DONE with zero size payload.

Fixes: 049c58539f5d ("devlink: mnlg: Add support for extended ack")
Fixes: c934da8aaacb ("devlink: mnlg: Catch returned error value of dumpit commands")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c
index 1c78222828ff9f164792da5253de21b6b15fbb98..af5aa4f9eda4bee1514968fc6088eadb2e06a336 100644 (file)
--- a/lib/mnl_utils.c
+++ b/lib/mnl_utils.c
@@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
 {
        const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh);
 
+       if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err))
+               return MNL_CB_STOP;
        /* Netlink subsystems returns the errno value with different signess */
        if (err->error < 0)
                errno = -err->error;
@@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
 
 static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data)
 {
-       int len = *(int *)NLMSG_DATA(nlh);
+       int len;
 
+       if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len))
+               return MNL_CB_STOP;
+       len = *(int *)mnl_nlmsg_get_payload(nlh);
        if (len < 0) {
                errno = -len;
                nl_dump_ext_ack_done(nlh, sizeof(int), len);