From: Wim Coekaerts <wim.coekaerts@oracle.com>
Date: Tue, 29 Dec 2015 06:25:58 +0000 (-0800)
Subject: NULL pointer deference if nlmsg_reserve() returns NULL for ifi
X-Git-Tag: lxc-1.0.9~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b247e1cc0a50b79909a957a78f418608c68e911;p=thirdparty%2Flxc.git

NULL pointer deference if nlmsg_reserve() returns NULL for ifi

nlmsg_reserve() might return NULL

        if (nlmsg_len + tlen > nlmsg->cap)
                return NULL;

Also set err = -ENOMEM where appropriate

Signed-off-by: Wim Coekaerts <wim.coekaerts@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/network.c b/src/lxc/network.c
index 54367c879..a0d3f973e 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -108,6 +108,8 @@ int lxc_netdev_move_by_index(int ifindex, pid_t pid, const char* ifname)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -164,6 +166,8 @@ int lxc_netdev_delete_by_index(int ifindex)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -214,6 +218,8 @@ int lxc_netdev_rename_by_index(int ifindex, const char *newname)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -277,6 +283,10 @@ int netdev_set_flag(const char *name, int flag)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 	ifi->ifi_change |= IFF_UP;
@@ -327,6 +337,10 @@ int netdev_get_flag(const char* name, int *flag)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 
@@ -401,6 +415,8 @@ int netdev_get_mtu(int ifindex)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 
 	/* Send the request for addresses, which returns all addresses
@@ -512,6 +528,10 @@ int lxc_netdev_set_mtu(const char *name, int mtu)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 
@@ -571,6 +591,8 @@ int lxc_veth_create(const char *name1, const char *name2)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 
 	err = -EINVAL;
@@ -590,8 +612,10 @@ int lxc_veth_create(const char *name1, const char *name2)
 		goto out;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
-	if (!ifi)
+	if (!ifi) {
+		err = -ENOMEM;
 		goto out;
+	}
 
 	if (nla_put_string(nlmsg, IFLA_IFNAME, name2))
 		goto out;
@@ -654,6 +678,10 @@ int lxc_vlan_create(const char *master, const char *name, unsigned short vlanid)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto err1;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 
 	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
@@ -730,6 +758,10 @@ int lxc_macvlan_create(const char *master, const char *name, int mode)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 
 	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
@@ -911,6 +943,8 @@ static int ip_addr_add(int family, int ifindex,
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWADDR;
 
 	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
+	if (!ifa) 
+		goto out;
 	ifa->ifa_prefixlen = prefix;
 	ifa->ifa_index = ifindex;
 	ifa->ifa_family = family;
@@ -1032,6 +1066,8 @@ static int ip_addr_get(int family, int ifindex, void **res)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETADDR;
 
 	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
+	if (!ifa)
+		goto out;
 	ifa->ifa_family = family;
 
 	/* Send the request for addresses, which returns all addresses
@@ -1146,6 +1182,8 @@ static int ip_gateway_add(int family, int ifindex, void *gw)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
 
 	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
+	if (!rt)
+		goto out;
 	rt->rtm_family = family;
 	rt->rtm_table = RT_TABLE_MAIN;
 	rt->rtm_scope = RT_SCOPE_UNIVERSE;
@@ -1210,6 +1248,8 @@ static int ip_route_dest_add(int family, int ifindex, void *dest)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
 
 	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
+	if (!rt)
+		goto out;
 	rt->rtm_family = family;
 	rt->rtm_table = RT_TABLE_MAIN;
 	rt->rtm_scope = RT_SCOPE_LINK;