[lxc-devel] [PATCH] NULL pointer deference if nlmsg_reserve() returns NULL for ifi

Serge Hallyn serge.hallyn at ubuntu.com
Mon Dec 28 23:53:30 UTC 2015


Quoting wim.coekaerts at oracle.com (wim.coekaerts at oracle.com):
> From: Wim Coekaerts <wim.coekaerts at oracle.com>
> 
> nlmsg_reserve() might return NULL
> 
>         if (nlmsg_len + tlen > nlmsg->cap)
>                 return NULL;
> 
> Signed-off-by: Wim Coekaerts <wim.coekaerts at oracle.com>
> ---
>  src/lxc/network.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
> 
> diff --git a/src/lxc/network.c b/src/lxc/network.c
> index a6740f5..731c374 100644
> --- a/src/lxc/network.c
> +++ b/src/lxc/network.c
> @@ -274,6 +274,8 @@ int lxc_netdev_delete_by_index(int ifindex)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = ifindex;
>  
> @@ -324,6 +326,8 @@ int lxc_netdev_rename_by_index(int ifindex, const char *newname)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = ifindex;
>  
> @@ -387,6 +391,8 @@ int netdev_set_flag(const char *name, int flag)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  

Oh, for this one should err be set to ENOMEM?

>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = index;
>  	ifi->ifi_change |= IFF_UP;
> @@ -437,6 +443,8 @@ int netdev_get_flag(const char* name, int *flag)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
>  

and this,

>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = index;

And actually there are a few other calls to nlmsg_reserve() which
you are not handling.


More information about the lxc-devel mailing list