From fde77649df47e8313d330a3f1e0f4b698e73ee8b Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Thu, 22 Apr 2010 11:50:37 +0200
Subject: fix mnl_attr_parse()

mnl_attr_parse does not take into account the length of the netlink
message header and the offset. Thus when validating attributes, it
goes over the end of the real attribute stream and catches invalid
data areas.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org
---
 src/attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/attr.c b/src/attr.c
index 59cf8c0..2b2977e 100644
--- a/src/attr.c
+++ b/src/attr.c
@@ -247,7 +247,7 @@ int mnl_attr_parse(const struct nlmsghdr *nlh, int offset,
 {
 	int ret = MNL_CB_OK;
 	struct nlattr *attr = mnl_nlmsg_get_payload_offset(nlh, offset);
-	int len = nlh->nlmsg_len;
+	int len = nlh->nlmsg_len - MNL_NLMSG_HDRLEN - MNL_ALIGN(offset);
 
 	while (mnl_attr_ok(attr, len)) {
 		if (cb && (ret = cb(attr, data)) <= MNL_CB_STOP)
-- 
cgit v1.2.3