[lxc-devel] [PATCH] NULL pointer deference if nlmsg_reserve() returns NULL for ifi

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jan 4 17:54:49 UTC 2016 

Quoting wim.coekaerts at oracle.com (wim.coekaerts at oracle.com):
> From: Wim Coekaerts <wim.coekaerts at oracle.com>
> 
> nlmsg_reserve() might return NULL
> 
>         if (nlmsg_len + tlen > nlmsg->cap)
>                 return NULL;
> 
> Also set err = -ENOMEM where appropriate
> 
> Signed-off-by: Wim Coekaerts <wim.coekaerts at oracle.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  src/lxc/network.c |   42 +++++++++++++++++++++++++++++++++++++++++-
>  1 files changed, 41 insertions(+), 1 deletions(-)
> 
> diff --git a/src/lxc/network.c b/src/lxc/network.c
> index a6740f5..d4b015d 100644
> --- a/src/lxc/network.c
> +++ b/src/lxc/network.c
> @@ -109,6 +109,8 @@ int lxc_netdev_move_by_index(int ifindex, pid_t pid, const char* ifname)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = ifindex;
>  
> @@ -274,6 +276,8 @@ int lxc_netdev_delete_by_index(int ifindex)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_DELLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = ifindex;
>  
> @@ -324,6 +328,8 @@ int lxc_netdev_rename_by_index(int ifindex, const char *newname)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = ifindex;
>  
> @@ -387,6 +393,10 @@ int netdev_set_flag(const char *name, int flag)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi) {
> +		err = -ENOMEM;
> +		goto out;
> +	}
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = index;
>  	ifi->ifi_change |= IFF_UP;
> @@ -437,6 +447,10 @@ int netdev_get_flag(const char* name, int *flag)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi) {
> +		err = -ENOMEM;
> +		goto out;
> +	}
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = index;
>  
> @@ -511,6 +525,8 @@ int netdev_get_mtu(int ifindex)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_GETLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  
>  	/* Send the request for addresses, which returns all addresses
> @@ -622,6 +638,10 @@ int lxc_netdev_set_mtu(const char *name, int mtu)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi) {
> +		err = -ENOMEM;
> +		goto out;
> +	}
>  	ifi->ifi_family = AF_UNSPEC;
>  	ifi->ifi_index = index;
>  
> @@ -681,6 +701,8 @@ int lxc_veth_create(const char *name1, const char *name2)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi)
> +		goto out;
>  	ifi->ifi_family = AF_UNSPEC;
>  
>  	err = -EINVAL;
> @@ -700,8 +722,10 @@ int lxc_veth_create(const char *name1, const char *name2)
>  		goto out;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> -	if (!ifi)
> +	if (!ifi) {
> +		err = -ENOMEM;
>  		goto out;
> +	}
>  
>  	if (nla_put_string(nlmsg, IFLA_IFNAME, name2))
>  		goto out;
> @@ -764,6 +788,10 @@ int lxc_vlan_create(const char *master, const char *name, unsigned short vlanid)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi) {
> +		err = -ENOMEM;
> +		goto err1;
> +	}
>  	ifi->ifi_family = AF_UNSPEC;
>  
>  	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
> @@ -840,6 +868,10 @@ int lxc_macvlan_create(const char *master, const char *name, int mode)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWLINK;
>  
>  	ifi = nlmsg_reserve(nlmsg, sizeof(struct ifinfomsg));
> +	if (!ifi) {
> +		err = -ENOMEM;
> +		goto out;
> +	}
>  	ifi->ifi_family = AF_UNSPEC;
>  
>  	nest = nla_begin_nested(nlmsg, IFLA_LINKINFO);
> @@ -1021,6 +1053,8 @@ static int ip_addr_add(int family, int ifindex,
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWADDR;
>  
>  	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
> +	if (!ifa) 
> +		goto out;
>  	ifa->ifa_prefixlen = prefix;
>  	ifa->ifa_index = ifindex;
>  	ifa->ifa_family = family;
> @@ -1142,6 +1176,8 @@ static int ip_addr_get(int family, int ifindex, void **res)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_GETADDR;
>  
>  	ifa = nlmsg_reserve(nlmsg, sizeof(struct ifaddrmsg));
> +	if (!ifa)
> +		goto out;
>  	ifa->ifa_family = family;
>  
>  	/* Send the request for addresses, which returns all addresses
> @@ -1256,6 +1292,8 @@ static int ip_gateway_add(int family, int ifindex, void *gw)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
>  
>  	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
> +	if (!rt)
> +		goto out;
>  	rt->rtm_family = family;
>  	rt->rtm_table = RT_TABLE_MAIN;
>  	rt->rtm_scope = RT_SCOPE_UNIVERSE;
> @@ -1320,6 +1358,8 @@ static int ip_route_dest_add(int family, int ifindex, void *dest)
>  	nlmsg->nlmsghdr->nlmsg_type = RTM_NEWROUTE;
>  
>  	rt = nlmsg_reserve(nlmsg, sizeof(struct rtmsg));
> +	if (!rt)
> +		goto out;
>  	rt->rtm_family = family;
>  	rt->rtm_table = RT_TABLE_MAIN;
>  	rt->rtm_scope = RT_SCOPE_LINK;
> -- 
> 1.7.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list