From 5b5cbaf1e54a9c0fb169465913c1250c560b487a Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Thu, 18 Feb 2016 14:07:42 +0100

Subject: [PATCH] libnetlink: don't confuse variables in rtnl_talk()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1288042

Upstream Status: iproute2.git commit ed108cfc0260b

commit ed108cfc0260b6b751647982b77d6363b1defb15

Author: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Date:   Thu Dec 3 17:13:48 2015 +0100

    libnetlink: don't confuse variables in rtnl_talk()

    There is two variables named 'len' in rtnl_talk. In fact, commit

    c079e121a73a didn't work. For example, it was possible to trigger

    a seg fault with this command:

    $ ip link set gre2 type ip6gre hoplimit 32

    Let's rename the argument len to maxlen.

    Fixes: c079e121a73a ("libnetlink: add size argument to rtnl_talk")

    Reported-by: Thomas Faivre <thomas.faivre@6wind.com>

    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

---

 lib/libnetlink.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/libnetlink.c b/lib/libnetlink.c

index 97b79fd..b2a300e 100644

--- a/lib/libnetlink.c

+++ b/lib/libnetlink.c

@@ -311,7 +311,7 @@ int rtnl_dump_filter_nc(struct rtnl_handle *rth,

 }

 int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n,

-	      struct nlmsghdr *answer, size_t len)

+	      struct nlmsghdr *answer, size_t maxlen)

 {

 	int status;

 	unsigned seq;

@@ -394,7 +394,7 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n,

 				} else if (!err->error) {

 					if (answer)

 						memcpy(answer, h,

-						       MIN(len, h->nlmsg_len));

+						       MIN(maxlen, h->nlmsg_len));

 					return 0;

 				}

@@ -406,7 +406,7 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n,

 			if (answer) {

 				memcpy(answer, h,

-				       MIN(len, h->nlmsg_len));

+				       MIN(maxlen, h->nlmsg_len));

 				return 0;

 			}

-- 

1.8.3.1