Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-19 02:39:29 +01:00
Code Releases Activity

monitor: Fix crash

Browse Source 
NLMSG_OK and NLMSG_NEXT expect to operate on nlmsg_len which is an int
(signed type).  The current code uses an unsigned type which means that
it cannot detect underflows.  Such underflows can happen when NLMSG_NEXT
tries to advance nlmsg_len by a number of bytes (due to alignment) which
are greater than the current nlmsg_len itself.  This causes iwmon to
crash on certain messages.

Reported-By: Daniel Wagner <wagi@monom.org>
This commit is contained in:
Denis Kenzior 2020-01-22 11:46:52 -06:00
parent 681172a999
commit 98e1d38056
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
monitor/nlmon.c
View File

@ -6876,7 +6876,7 @@ static bool nlmon_receive(struct l_io *io, void *user_data)
unsigned char buf[8192];
unsigned char control[32];
ssize_t bytes_read;
size_t nlmsg_len;
int nlmsg_len;
int fd;
fd = l_io_get_fd(io);