[lxc-devel] [PATCH] check for data in nla_put() to avoid invalid memcpy() calls
Christian Brauner
christian at brauner.io
Sun Jul 29 16:39:08 UTC 2018
On Sun, Jul 29, 2018 at 05:44:06PM +0200, Rafał Miłecki wrote:
> From: Rafał Miłecki <rafal at milecki.pl>
>
> It's a valid case to call nla_put() with NULL data and 0 len. It's done
> e.g. in the nla_put_attr().
>
> There has to be a check for data in nla_put() as passing NULL to the
> memcpy() is not allowed. Even if length is 0, both pointers have to be
> valid.
>
> For a reference see C99 standard (7.21.1/2), it says: "pointer arguments
> on such a call shall still have valid values".
>
> Reported-by: Daniel Gimpelevich <daniel at gimpelevich.san-francisco.ca.us>
> Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
Thanks, I've created a branch at https://github.com/lxc/lxc/pull/2497 .
Acked-by: Christian Brauner <christian.brauner at ubuntu.com>
> ---
> src/lxc/nl.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/nl.c b/src/lxc/nl.c
> index e1dd8443..dfe71110 100644
> --- a/src/lxc/nl.c
> +++ b/src/lxc/nl.c
> @@ -61,7 +61,8 @@ static int nla_put(struct nlmsg *nlmsg, int attr,
> rta = NLMSG_TAIL(nlmsg->nlmsghdr);
> rta->rta_type = attr;
> rta->rta_len = rtalen;
> - memcpy(RTA_DATA(rta), data, len);
> + if (data && len)
> + memcpy(RTA_DATA(rta), data, len);
> nlmsg->nlmsghdr->nlmsg_len = tlen;
> return 0;
> }
> --
> 2.13.7
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180729/eaef0eed/attachment.sig>
More information about the lxc-devel
mailing list