build: add attribute header size to total attribute length

This patch adds the size of the attribute header (4 bytes) to the length field of netattr. This fixes a possible invalid memory access in malformed messages. This change is included in the set of scheduled changes for 0.9.9 that break backward compatibility. This patch also removes a memset of 4096 by one to initialize the headers and the netattr paddings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2008-11-25 01:56:47 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2008-11-25 01:56:47 +0100
commit: 6262a4a7b7139fb5636228cb0f5a1e72f848d871 (patch)
tree: a239dc549821e9cc897d616dd99c637767bf9fee /src/build.c
parent: 40efc1ebb15be022453f8c820c31099a8a0ebebd (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/build.c b/src/build.c
index 5143048..c776de8 100644
--- a/src/build.c
+++ b/src/build.c
@@ -24,9 +24,12 @@ static inline void *
 put_header(struct netpld *pld, int attr, size_t len)
 {
 	struct netattr *nta = PLD_TAIL(pld);
-	pld->len += NTA_ALIGN(NTA_LENGTH(len));
+	int total_size = NTA_ALIGN(NTA_LENGTH(len));
+	int attr_size = NTA_LENGTH(len);
+	pld->len += total_size;
 	nta->nta_attr = htons(attr);
-	nta->nta_len = htons(len);
+	nta->nta_len = htons(attr_size);
+	memset((unsigned char *)nta + attr_size, 0, total_size - attr_size);
 	return NTA_DATA(nta);
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2008-11-25 01:56:47 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2008-11-25 01:56:47 +0100
commit	6262a4a7b7139fb5636228cb0f5a1e72f848d871 (patch)
tree	a239dc549821e9cc897d616dd99c637767bf9fee /src/build.c
parent	40efc1ebb15be022453f8c820c31099a8a0ebebd (diff)