From 6262a4a7b7139fb5636228cb0f5a1e72f848d871 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 25 Nov 2008 01:56:47 +0100 Subject: build: add attribute header size to total attribute length This patch adds the size of the attribute header (4 bytes) to the length field of netattr. This fixes a possible invalid memory access in malformed messages. This change is included in the set of scheduled changes for 0.9.9 that break backward compatibility. This patch also removes a memset of 4096 by one to initialize the headers and the netattr paddings. Signed-off-by: Pablo Neira Ayuso --- include/network.h | 6 +++--- src/build.c | 7 +++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/include/network.h b/include/network.h index 2487c81..f24fb5f 100644 --- a/include/network.h +++ b/include/network.h @@ -49,7 +49,7 @@ enum { #define BUILD_NETMSG(ct, query) \ ({ \ char __net[4096]; \ - memset(__net, 0, sizeof(__net)); \ + memset(__net, 0, NETHDR_SIZ + NETPLD_SIZ); \ build_netmsg(ct, query, (struct nethdr *) __net); \ (struct nethdr *) __net; \ }) @@ -170,8 +170,8 @@ struct netattr { #define NTA_NEXT(x, len) \ ( \ - len -= NTA_ALIGN(NTA_LENGTH(x->nta_len)), \ - (struct netattr *)(((char *)x) + NTA_ALIGN(NTA_LENGTH(x->nta_len))) \ + len -= NTA_ALIGN(x->nta_len), \ + (struct netattr *)(((char *)x) + NTA_ALIGN(x->nta_len)) \ ) #define NTA_ALIGNTO 4 diff --git a/src/build.c b/src/build.c index 5143048..c776de8 100644 --- a/src/build.c +++ b/src/build.c @@ -24,9 +24,12 @@ static inline void * put_header(struct netpld *pld, int attr, size_t len) { struct netattr *nta = PLD_TAIL(pld); - pld->len += NTA_ALIGN(NTA_LENGTH(len)); + int total_size = NTA_ALIGN(NTA_LENGTH(len)); + int attr_size = NTA_LENGTH(len); + pld->len += total_size; nta->nta_attr = htons(attr); - nta->nta_len = htons(len); + nta->nta_len = htons(attr_size); + memset((unsigned char *)nta + attr_size, 0, total_size - attr_size); return NTA_DATA(nta); } -- cgit v1.2.3