From: Max Kunzelmann <maxdev@posteo.de>
Date: Tue, 7 Nov 2023 01:20:55 +0000 (+0000)
Subject: libnetlink: validate nlmsg header length first
X-Git-Tag: v6.7.0~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78eebdbc7d2f96b01a18d7db33c1c99266efc4bc;p=thirdparty%2Fiproute2.git

libnetlink: validate nlmsg header length first

Validate the nlmsg header length before accessing the nlmsg payload
length.

Fixes: 892a25e286fb ("libnetlink: break up dump function")

Signed-off-by: Max Kunzelmann <maxdev@posteo.de>
Reviewed-by: Benny Baumann <BenBE@geshi.org>
Reviewed-by: Robert Geislinger <github@crpykng.de>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---

diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 7edcd2856..016482294 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n)
 static int rtnl_dump_done(struct nlmsghdr *h,
 			  const struct rtnl_dump_filter_arg *a)
 {
-	int len = *(int *)NLMSG_DATA(h);
+	int len;
 
 	if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) {
 		fprintf(stderr, "DONE truncated\n");
 		return -1;
 	}
 
+	len = *(int *)NLMSG_DATA(h);
+
 	if (len < 0) {
 		errno = -len;