From patchwork Wed Sep 12 23:29:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mahesh Bandewar X-Patchwork-Id: 969214 X-Patchwork-Delegate: shemminger@vyatta.com Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bandewar.net Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=bandewar-net.20150623.gappssmtp.com header.i=@bandewar-net.20150623.gappssmtp.com header.b="URkXaLy+"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 429dKT71Y8z9s9N for ; Thu, 13 Sep 2018 09:29:33 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728180AbeIMEgS (ORCPT ); Thu, 13 Sep 2018 00:36:18 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:41137 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726317AbeIMEgS (ORCPT ); Thu, 13 Sep 2018 00:36:18 -0400 Received: by mail-pf1-f196.google.com with SMTP id h79-v6so1747082pfk.8 for ; Wed, 12 Sep 2018 16:29:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bandewar-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R8h6cwtoRSc0qV/RP0HpVzGPtfpNMqEp9cbCaBuNjSo=; b=URkXaLy+mGDNp90+mazA275D6MOvX56FeYiWRLbbghw2jaebVIVHE/sdHR594q4IC9 D0PQNPq5noy1Bw3aPzZC1vvH1f7Mq9+xDl2pAUkABH5CeT9PvGa9swQPPtqITBJGhh48 nBwbZQvavHp4gbpgKh2sfaXgqeUns+l//8y8aseccVVUKdP4IYbQydXQjIwNRFN2Xcb4 96bT4UzrVn2XNQ2XE1IgTDaYN03nlaKushSxQEbKYa41UfGue0gtQaohbJfKzqYYDxQG LK/QzbfAuVEiWWUPP4eGQDNFs6v6RrZPigpkv1ng7fhyEjkj5nTe1IKWcULABPagjHRT Zs/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R8h6cwtoRSc0qV/RP0HpVzGPtfpNMqEp9cbCaBuNjSo=; b=Erj1+gLofRHY3otAB2eCcQAru87UncpMvNNQTaIJ9tvrTEevi9XWFnrQezVb/t1KNl rBiG1C20bgLS1eR1eSksAHe8mOtikLvSFy+VDLWO6MHP2cRjvT9Z5yHAq3QPCoFQwZgT Ox0YlObT9G6enYxlw1O48ceJ+9phEYgOisRON/FkSHDF1v/2GixIjLXQi50N32VJ8RrK aISYQ2NN/F3iXOGKJk9e/jzryXW10mG0tielMM3i+749CMLD9Y8jQHQ+ay0B257aT/XJ 2wcFylmTE6AFJFsqd8CPh4opUGbeEKLrIajC/L8j5fk+gknHlokrGqID/Ue7hBhHjuDy JB9w== X-Gm-Message-State: APzg51C90P7h5mOK+kJhy92oi9xv/9kM4rgbsdn83t1NcMQdctu9pKuA rsDFfdPSiBi++HNMFAlZlkl99zWjU2U= X-Google-Smtp-Source: ANB0Vda0yajtnQ1YjyDuzRuF+Tu+sHVqPKWMRFbDsV97rvqAxasd+f99958neyiYylOt1qR2KOhNmw== X-Received: by 2002:a63:b95e:: with SMTP id v30-v6mr4420525pgo.221.1536794971824; Wed, 12 Sep 2018 16:29:31 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:c7f9:6225:a527:f3a4]) by smtp.gmail.com with ESMTPSA id b203-v6sm3480265pfb.174.2018.09.12.16.29.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 12 Sep 2018 16:29:31 -0700 (PDT) From: Mahesh Bandewar To: Stephen Hemminger Cc: netdev , Mahesh Bandewar Subject: [PATCH iproute2] iproute2: fix use-after-free Date: Wed, 12 Sep 2018 16:29:28 -0700 Message-Id: <20180912232928.166085-1-mahesh@bandewar.net> X-Mailer: git-send-email 2.19.0.rc2.392.g5ba43deb5a-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Mahesh Bandewar A local program using iproute2 lib pointed out the issue and looking at the code it is pretty obvious - a = (struct nlmsghdr *)b; ... free(b); if (a->nlmsg_seq == seq) ... Fixes: 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support malloc buff at run time") Signed-off-by: Mahesh Bandewar --- lib/libnetlink.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 928de1dd16d8..016a5f0bcfb6 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -661,17 +661,24 @@ next: if (l < sizeof(struct nlmsgerr)) { fprintf(stderr, "ERROR truncated\n"); } else if (!err->error) { + unsigned int tmp_seq; + /* check messages from kernel */ nl_dump_ext_ack(h, errfn); - if (answer) + tmp_seq = h->nlmsg_seq; + if (answer) { *answer = (struct nlmsghdr *)buf; - else + } else { free(buf); - if (h->nlmsg_seq == seq) + buf = NULL; + } + if (tmp_seq == seq) { return 0; - else if (i < iovlen) + } else if (i < iovlen) { + free(buf); goto next; + } return 0; }