[lxc-devel] [lxc/master] nl: avoid NULL pointer dereference
brauner on Github
lxc-bot at linuxcontainers.org
Sun Jul 29 16:36:06 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 803 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180729/1cd15090/attachment.bin>
-------------- next part --------------
From 76012e573563e9f14e698642d196fad8e0e38a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal at milecki.pl>
Date: Sun, 29 Jul 2018 17:44:06 +0200
Subject: [PATCH] nl: avoid NULL pointer dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's a valid case to call nla_put() with NULL data and 0 len. It's done e.g. in
the nla_put_attr().
There has to be a check for data in nla_put() as passing NULL to the memcpy()
is not allowed. Even if length is 0, both pointers have to be valid.
For a reference see C99 standard (7.21.1/2), it says: "pointer arguments on
such a call shall still have valid values".
Reported-by: Daniel Gimpelevich <daniel at gimpelevich.san-francisco.ca.us>
Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
---
src/lxc/nl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/nl.c b/src/lxc/nl.c
index e1dd84432..dfe71110f 100644
--- a/src/lxc/nl.c
+++ b/src/lxc/nl.c
@@ -61,7 +61,8 @@ static int nla_put(struct nlmsg *nlmsg, int attr,
rta = NLMSG_TAIL(nlmsg->nlmsghdr);
rta->rta_type = attr;
rta->rta_len = rtalen;
- memcpy(RTA_DATA(rta), data, len);
+ if (data && len)
+ memcpy(RTA_DATA(rta), data, len);
nlmsg->nlmsghdr->nlmsg_len = tlen;
return 0;
}
More information about the lxc-devel
mailing list