[lxc-devel] [PATCH] NULL pointer deference if nlmsg_reserve() returns NULL for ifi

Tue Dec 29 06:25:58 UTC 2015

From: Wim Coekaerts <wim.coekaerts at oracle.com>

nlmsg_reserve() might return NULL

        if (nlmsg_len + tlen > nlmsg->cap)
                return NULL;

Also set err = -ENOMEM where appropriate

Signed-off-by: Wim Coekaerts <wim.coekaerts at oracle.com>
---
 src/lxc/network.c |   42 +++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 41 insertions(+), 1 deletions(-)

diff --git a/src/lxc/network.c b/src/lxc/network.c
index a6740f5..d4b015d 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -109,6 +109,8 @@ int lxc_netdev_move_by_index(int ifindex, pid_t pid, const char* ifname)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -274,6 +276,8 @@ int lxc_netdev_delete_by_index(int ifindex)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -324,6 +328,8 @@ int lxc_netdev_rename_by_index(int ifindex, const char *newname)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = ifindex;
 
@@ -387,6 +393,10 @@ int netdev_set_flag(const char *name, int flag)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 	ifi->ifi_change |= IFF_UP;
@@ -437,6 +447,10 @@ int netdev_get_flag(const char* name, int *flag)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 
@@ -511,6 +525,8 @@ int netdev_get_mtu(int ifindex)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 
 	/* Send the request for addresses, which returns all addresses
@@ -622,6 +638,10 @@ int lxc_netdev_set_mtu(const char *name, int mtu)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 	ifi->ifi_index = index;
 
@@ -681,6 +701,8 @@ int lxc_veth_create(const char *name1, const char *name2)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi)
+		goto out;
 	ifi->ifi_family = AF_UNSPEC;
 
 	err = -EINVAL;
@@ -700,8 +722,10 @@ int lxc_veth_create(const char *name1, const char *name2)
 		goto out;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
-	if (!ifi)
+	if (!ifi) {
+		err = -ENOMEM;
 		goto out;
+	}
 
 	if (nla_put_string(nlmsg, IFLA_IFNAME, name2))
 		goto out;
@@ -764,6 +788,10 @@ int lxc_vlan_create(const char *master, const char *name, unsigned short vlanid)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto err1;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 
 	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
@@ -840,6 +868,10 @@ int lxc_macvlan_create(const char *master, const char *name, int mode)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
 
 	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
+	if (!ifi) {
+		err = -ENOMEM;
+		goto out;
+	}
 	ifi->ifi_family = AF_UNSPEC;
 
 	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
@@ -1021,6 +1053,8 @@ static int ip_addr_add(int family, int ifindex,
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWADDR;
 
 	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
+	if (!ifa) 
+		goto out;
 	ifa->ifa_prefixlen = prefix;
 	ifa->ifa_index = ifindex;
 	ifa->ifa_family = family;
@@ -1142,6 +1176,8 @@ static int ip_addr_get(int family, int ifindex, void **res)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_GETADDR;
 
 	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
+	if (!ifa)
+		goto out;
 	ifa->ifa_family = family;
 
 	/* Send the request for addresses, which returns all addresses
@@ -1256,6 +1292,8 @@ static int ip_gateway_add(int family, int ifindex, void *gw)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
 
 	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
+	if (!rt)
+		goto out;
 	rt->rtm_family = family;
 	rt->rtm_table = RT_TABLE_MAIN;
 	rt->rtm_scope = RT_SCOPE_UNIVERSE;
@@ -1320,6 +1358,8 @@ static int ip_route_dest_add(int family, int ifindex, void *dest)
 	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
 
 	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
+	if (!rt)
+		goto out;
 	rt->rtm_family = family;
 	rt->rtm_table = RT_TABLE_MAIN;
 	rt->rtm_scope = RT_SCOPE_LINK;
-- 
1.7.1

