45 lines
1.2 KiB
Diff
45 lines
1.2 KiB
Diff
From ca34ad524ec7a9f0e24bb5975b178a3e70268f0f Mon Sep 17 00:00:00 2001
|
|
From: Thomas Haller <thaller@redhat.com>
|
|
Date: Fri, 28 Jul 2023 11:24:26 +0200
|
|
Subject: [PATCH] lib: handle negative and zero size in nla_memcpy()
|
|
|
|
a negative count is a bug in the caller. Still, handle it better than
|
|
just crashing. Maybe we should assert, but it doesn't seem best to
|
|
assert against user input.
|
|
|
|
Also, if count is zero, don't call memcpy(). Calling memcpy() requires
|
|
that the source and destination pointers are valid, otherwise it's
|
|
undefined behavior. I think if the caller tells us to copy zero bytes,
|
|
we should never look at the destination pointer.
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/thom311/libnl/commit/ca34ad524ec7a9f0e24bb5975b178a3e70268f0f
|
|
|
|
---
|
|
lib/attr.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/attr.c b/lib/attr.c
|
|
index 2b2d538..23619c7 100644
|
|
--- a/lib/attr.c
|
|
+++ b/lib/attr.c
|
|
@@ -357,10 +357,13 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
|
|
|
|
if (!src)
|
|
return 0;
|
|
-
|
|
+
|
|
minlen = min_t(int, count, nla_len(src));
|
|
- memcpy(dest, nla_data(src), minlen);
|
|
|
|
+ if (minlen <= 0)
|
|
+ return 0;
|
|
+
|
|
+ memcpy(dest, nla_data(src), minlen);
|
|
return minlen;
|
|
}
|
|
|
|
--
|
|
2.33.0
|
|
|