3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-19 18:22:32 +01:00

monitor: Fix crash

NLMSG_OK and NLMSG_NEXT expect to operate on nlmsg_len which is an int
(signed type).  The current code uses an unsigned type which means that
it cannot detect underflows.  Such underflows can happen when NLMSG_NEXT
tries to advance nlmsg_len by a number of bytes (due to alignment) which
are greater than the current nlmsg_len itself.  This causes iwmon to
crash on certain messages.

Reported-By: Daniel Wagner <wagi@monom.org>
This commit is contained in:
Denis Kenzior 2020-01-22 11:46:52 -06:00
parent 681172a999
commit 98e1d38056

View File

@ -6876,7 +6876,7 @@ static bool nlmon_receive(struct l_io *io, void *user_data)
unsigned char buf[8192];
unsigned char control[32];
ssize_t bytes_read;
size_t nlmsg_len;
int nlmsg_len;
int fd;
fd = l_io_get_fd(io);