|
|
36cfb7 |
From 8372b7bb8f7211563d888fdd30e473c161f7d0a0 Mon Sep 17 00:00:00 2001
|
|
|
36cfb7 |
From: Hangbin Liu <haliu@redhat.com>
|
|
|
36cfb7 |
Date: Wed, 8 Nov 2017 14:39:10 +0800
|
|
|
36cfb7 |
Subject: [PATCH] iplink: check for message truncation in iplink_get()
|
|
|
36cfb7 |
|
|
|
36cfb7 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380803
|
|
|
36cfb7 |
Upstream Status: iproute2.git commit 6599162b958e
|
|
|
36cfb7 |
|
|
|
36cfb7 |
commit 6599162b958ea5a43d729df4f30aad515db26ff4
|
|
|
36cfb7 |
Author: Michal Kubecek <mkubecek@suse.cz>
|
|
|
36cfb7 |
Date: Fri Sep 1 18:39:11 2017 +0200
|
|
|
36cfb7 |
|
|
|
36cfb7 |
iplink: check for message truncation in iplink_get()
|
|
|
36cfb7 |
|
|
|
36cfb7 |
If message length exceeds maxlen argument of rtnl_talk(), it is truncated
|
|
|
36cfb7 |
to maxlen but unlike in the case of truncation to the length of local
|
|
|
36cfb7 |
buffer in rtnl_talk(), the caller doesn't get any indication of a problem.
|
|
|
36cfb7 |
|
|
|
36cfb7 |
In particular, iplink_get() passes the truncated message on and parsing it
|
|
|
36cfb7 |
results in various warnings and sometimes even a segfault (observed with
|
|
|
36cfb7 |
"ip link show dev ..." for a NIC with 125 VFs).
|
|
|
36cfb7 |
|
|
|
36cfb7 |
Handle message truncation in iplink_get() the same way as truncation in
|
|
|
36cfb7 |
rtnl_talk() would be handled: return an error.
|
|
|
36cfb7 |
|
|
|
36cfb7 |
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
|
|
|
36cfb7 |
|
|
|
36cfb7 |
Signed-off-by: Hangbin Liu <haliu@redhat.com>
|
|
|
36cfb7 |
---
|
|
|
36cfb7 |
ip/iplink.c | 5 +++++
|
|
|
36cfb7 |
1 file changed, 5 insertions(+)
|
|
|
36cfb7 |
|
|
|
36cfb7 |
diff --git a/ip/iplink.c b/ip/iplink.c
|
|
|
e138d9 |
index da3f9a779351c..2b2421f9a2281 100644
|
|
|
36cfb7 |
--- a/ip/iplink.c
|
|
|
36cfb7 |
+++ b/ip/iplink.c
|
|
|
36cfb7 |
@@ -1031,6 +1031,11 @@ int iplink_get(unsigned int flags, char *name, __u32 filt_mask)
|
|
|
36cfb7 |
|
|
|
36cfb7 |
if (rtnl_talk(&rth, &req.n, &answer.n, sizeof(answer)) < 0)
|
|
|
36cfb7 |
return -2;
|
|
|
36cfb7 |
+ if (answer.n.nlmsg_len > sizeof(answer.buf)) {
|
|
|
36cfb7 |
+ fprintf(stderr, "Message truncated from %u to %lu\n",
|
|
|
36cfb7 |
+ answer.n.nlmsg_len, sizeof(answer.buf));
|
|
|
36cfb7 |
+ return -2;
|
|
|
36cfb7 |
+ }
|
|
|
36cfb7 |
|
|
|
36cfb7 |
if (brief)
|
|
|
36cfb7 |
print_linkinfo_brief(NULL, &answer.n, stdout);
|
|
|
36cfb7 |
--
|
|
|
e138d9 |
2.21.0
|
|
|
36cfb7 |
|