From 98e1d38056e781831b0a86b656eb9873ee51a155 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Wed, 22 Jan 2020 11:46:52 -0600 Subject: [PATCH] monitor: Fix crash NLMSG_OK and NLMSG_NEXT expect to operate on nlmsg_len which is an int (signed type). The current code uses an unsigned type which means that it cannot detect underflows. Such underflows can happen when NLMSG_NEXT tries to advance nlmsg_len by a number of bytes (due to alignment) which are greater than the current nlmsg_len itself. This causes iwmon to crash on certain messages. Reported-By: Daniel Wagner --- monitor/nlmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monitor/nlmon.c b/monitor/nlmon.c index 77f5dda4..087b374f 100644 --- a/monitor/nlmon.c +++ b/monitor/nlmon.c @@ -6876,7 +6876,7 @@ static bool nlmon_receive(struct l_io *io, void *user_data) unsigned char buf[8192]; unsigned char control[32]; ssize_t bytes_read; - size_t nlmsg_len; + int nlmsg_len; int fd; fd = l_io_get_fd(io);