[PATCH] lib: Return error on Netlink attribute length overflow

Przemyslaw Szczerbik przemekszczerbik at gmail.com
Mon May 30 14:26:00 PDT 2016 

Netlink attribute length is defined as u16. It's possible to exceed nla_len when
creating nested attributes. Storing incorrect length due to overflow will cause
a reader to read only a part of nested attribute or skip it entirely.

As a solution cancel the addition of a nested attribute when nla_len size is
exceeded.

Signed-off-by: Przemyslaw Szczerbik <przemek.szczerbik at gmail.com>
---
 include/netlink/errno.h | 3 ++-
 lib/attr.c              | 9 +++++----
 lib/error.c             | 1 +
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/netlink/errno.h b/include/netlink/errno.h
index f8b5130..35710cf 100644
--- a/include/netlink/errno.h
+++ b/include/netlink/errno.h
@@ -50,8 +50,9 @@ extern "C" {
 #define NLE_NODEV		31
 #define NLE_IMMUTABLE		32
 #define NLE_DUMP_INTR		33
+#define NLE_ATTRSIZE		34
 
-#define NLE_MAX			NLE_DUMP_INTR
+#define NLE_MAX		NLE_ATTRSIZE
 
 extern const char *	nl_geterror(int);
 extern void		nl_perror(int, const char *);
diff --git a/lib/attr.c b/lib/attr.c
index 9d8bb26..a3d1b16 100644
--- a/lib/attr.c
+++ b/lib/attr.c
@@ -912,7 +912,7 @@ struct nlattr *nla_nest_start(struct nl_msg *msg, int attrtype)
  *
  * Corrects the container attribute header to include the appeneded attributes.
  *
- * @return 0
+ * @return 0 on success or a negative error code.
  */
 int nla_nest_end(struct nl_msg *msg, struct nlattr *start)
 {
@@ -920,14 +920,15 @@ int nla_nest_end(struct nl_msg *msg, struct nlattr *start)
 
 	len = (void *) nlmsg_tail(msg->nm_nlh) - (void *) start;
 
-	if (len == NLA_HDRLEN) {
+	if (len == NLA_HDRLEN || len > USHRT_MAX) {
 		/*
-		 * Kernel can't handle empty nested attributes, trim the
+		 * Max nlattr size exceeded or empty nested attribute, trim the
 		 * attribute header again
 		 */
 		nla_nest_cancel(msg, start);
 
-		return 0;
+		/* Return error only if nlattr size was exceeded */
+		return (len == NLA_HDRLEN) ? 0 : -NLE_ATTRSIZE;
 	}
 
 	start->nla_len = len;
diff --git a/lib/error.c b/lib/error.c
index f30b9a5..7fbd389 100644
--- a/lib/error.c
+++ b/lib/error.c
@@ -47,6 +47,7 @@ static const char *errmsg[NLE_MAX+1] = {
 [NLE_NODEV]		= "No such device",
 [NLE_IMMUTABLE]		= "Immutable attribute",
 [NLE_DUMP_INTR]		= "Dump inconsistency detected, interrupted",
+[NLE_ATTRSIZE]		= "Attribute max length exceeded",
 };
 
 /**
-- 
2.7.4

More information about the libnl mailing list