From: Stephen Hemminger Date: Thu, 13 Sep 2018 19:33:38 +0000 (-0700) Subject: libnetlink: fix leak and using unused memory on error X-Git-Tag: v4.19.0~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c60389e4f9ea88d7246dbb148d28791d577fe5b4;p=thirdparty%2Fiproute2.git libnetlink: fix leak and using unused memory on error If an error happens in multi-segment message (tc only) then report the error and stop processing further responses. This also fixes refering to the buffer after free. The sequence check is not necessary here because the response message has already been validated to be in the window of the sequence number of the iov. Reported-by: Mahesh Bandewar Signed-off-by: Stephen Hemminger Acked-by: Mahesh Bandewar --- diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 928de1dd1..586809292 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -617,7 +617,6 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov, msg.msg_iovlen = 1; i = 0; while (1) { -next: status = rtnl_recvmsg(rtnl->fd, &msg, &buf); ++i; @@ -660,27 +659,23 @@ next: if (l < sizeof(struct nlmsgerr)) { fprintf(stderr, "ERROR truncated\n"); - } else if (!err->error) { + free(buf); + return -1; + } + + if (!err->error) /* check messages from kernel */ nl_dump_ext_ack(h, errfn); - if (answer) - *answer = (struct nlmsghdr *)buf; - else - free(buf); - if (h->nlmsg_seq == seq) - return 0; - else if (i < iovlen) - goto next; - return 0; - } - if (rtnl->proto != NETLINK_SOCK_DIAG && show_rtnl_err) rtnl_talk_error(h, err, errfn); errno = -err->error; - free(buf); + if (answer) + *answer = (struct nlmsghdr *)buf; + else + free(buf); return -i; }