[lxc-devel] [PATCH] NULL pointer deference if nlmsg_reserve() returns NULL for ifi

Wim Coekaerts wim.coekaerts at oracle.com
Mon Dec 28 23:55:18 UTC 2015 

Ah I thought I got the all that had issues. Let me double check 

> On Dec 28, 2015, at 3:53 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> Quoting wim.coekaerts at oracle.com (wim.coekaerts at oracle.com):
>> From: Wim Coekaerts <wim.coekaerts at oracle.com>
>> 
>> nlmsg_reserve() might return NULL
>> 
>>        if (nlmsg_len + tlen > nlmsg->cap)
>>                return NULL;
>> 
>> Signed-off-by: Wim Coekaerts <wim.coekaerts at oracle.com>
>> ---
>> src/lxc/network.c |    8 ++++++++
>> 1 files changed, 8 insertions(+), 0 deletions(-)
>> 
>> diff --git a/src/lxc/network.c b/src/lxc/network.c
>> index a6740f5..731c374 100644
>> --- a/src/lxc/network.c
>> +++ b/src/lxc/network.c
>> @@ -274,6 +274,8 @@ int lxc_netdev_delete_by_index(int ifindex)
>>    nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK;
>> 
>>    ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
>> +    if (!ifi)
>> +        goto out;
>>    ifi->ifi_family = AF_UNSPEC;
>>    ifi->ifi_index = ifindex;
>> 
>> @@ -324,6 +326,8 @@ int lxc_netdev_rename_by_index(int ifindex, const char *newname)
>>    nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>> 
>>    ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
>> +    if (!ifi)
>> +        goto out;
>>    ifi->ifi_family = AF_UNSPEC;
>>    ifi->ifi_index = ifindex;
>> 
>> @@ -387,6 +391,8 @@ int netdev_set_flag(const char *name, int flag)
>>    nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
> 
> Oh, for this one should err be set to ENOMEM?
> 
>>    ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
>> +    if (!ifi)
>> +        goto out;
>>    ifi->ifi_family = AF_UNSPEC;
>>    ifi->ifi_index = index;
>>    ifi->ifi_change |= IFF_UP;
>> @@ -437,6 +443,8 @@ int netdev_get_flag(const char* name, int *flag)
>>    nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
> 
> and this,
> 
>>    ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
>> +    if (!ifi)
>> +        goto out;
>>    ifi->ifi_family = AF_UNSPEC;
>>    ifi->ifi_index = index;
> 
> And actually there are a few other calls to nlmsg_reserve() which
> you are not handling.
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list