libnetlink: validate nlmsg header length first

Validate the nlmsg header length before accessing the nlmsg payload
length.

Fixes: 892a25e286fb ("libnetlink: break up dump function")
Signed-off-by: Max Kunzelmann <maxdev@posteo.de>
Reviewed-by: Benny Baumann <BenBE@geshi.org>
Reviewed-by: Robert Geislinger <github@crpykng.de>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 7edcd28569fd1b49a8a592ec1c9bb740391d6d59..016482294276c334ff2392e0c80d8eff819533c3 100644 (file)
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n)
 static int rtnl_dump_done(struct nlmsghdr *h,
                          const struct rtnl_dump_filter_arg *a)
 {
-       int len = *(int *)NLMSG_DATA(h);
+       int len;
 
        if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) {
                fprintf(stderr, "DONE truncated\n");
                return -1;
        }
 
+       len = *(int *)NLMSG_DATA(h);
+
        if (len < 0) {
                errno = -len;