diff --git a/backport-nlmsg-fix-false-positives-when-validating-buffer-siz.patch b/backport-nlmsg-fix-false-positives-when-validating-buffer-siz.patch new file mode 100644 index 0000000000000000000000000000000000000000..441e641c3ee96007f76dd98bf2c2e0a754f4fa58 --- /dev/null +++ b/backport-nlmsg-fix-false-positives-when-validating-buffer-siz.patch @@ -0,0 +1,65 @@ +From 754c9de5ea1bea821495523cf01989299552e524 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 4 Nov 2023 23:01:54 +0000 +Subject: [PATCH] nlmsg: fix false positives when validating buffer sizes + +The `len` parameter of `mnl_nlmsg_ok`, which holds the buffer length and +is compared to the size of the object expected to fit into the buffer, +is signed because the function validates the length, and it can be +negative in the case of malformed messages. Comparing it to unsigned +operands used to lead to compiler warnings: + + msg.c: In function 'mnl_nlmsg_ok': + msg.c:136: warning: comparison between signed and unsigned + msg.c:138: warning: comparison between signed and unsigned + +and so commit 73661922bc3b ("fix warning in compilation due to different +signess") added casts of the unsigned operands to `int`. However, the +comparison to `nlh->nlmsg_len`: + + (int)nlh->nlmsg_len <= len + +is problematic, since `nlh->nlmsg_len` is of type `__u32` and so may +hold values greater than `INT_MAX`. In the case where `len` is positive +and `nlh->nlmsg_len` is greater than `INT_MAX`, the cast will yield a +negative value and `mnl_nlmsg_ok` will incorrectly return true. + +Instead, assign `len` to an unsigned local variable, check for a +negative value first, then use the unsigned local for the other +comparisons, and remove the casts. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1691 +Fixes: 73661922bc3b ("fix warning in compilation due to different signess") +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/libmnl/commit/?id=754c9de5ea1bea821495523cf01989299552e524 +--- + src/nlmsg.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/nlmsg.c b/src/nlmsg.c +index c634501..30a7e63 100644 +--- a/src/nlmsg.c ++++ b/src/nlmsg.c +@@ -152,9 +152,14 @@ EXPORT_SYMBOL void *mnl_nlmsg_get_payload_offset(const struct nlmsghdr *nlh, + */ + EXPORT_SYMBOL bool mnl_nlmsg_ok(const struct nlmsghdr *nlh, int len) + { +- return len >= (int)sizeof(struct nlmsghdr) && ++ size_t ulen = len; ++ ++ if (len < 0) ++ return false; ++ ++ return ulen >= sizeof(struct nlmsghdr) && + nlh->nlmsg_len >= sizeof(struct nlmsghdr) && +- (int)nlh->nlmsg_len <= len; ++ nlh->nlmsg_len <= ulen; + } + + /** +-- +2.33.0 + diff --git a/libmnl.spec b/libmnl.spec index 6be70df9372bf4351b110e30e0ceda36452ad32d..13849e7f9740c7de0fb9f6faa2c5409840d6c745 100644 --- a/libmnl.spec +++ b/libmnl.spec @@ -1,12 +1,14 @@ Name:libmnl Version: 1.0.5 -Release: 2 +Release: 3 License: LGPL-2.1-or-later BuildRequires: gcc URL: https://netfilter.org/projects/libmnl Source0: https://netfilter.org/projects/libmnl/files/%{name}-%{version}.tar.bz2 Summary: A minimalistic user-space library oriented to netlink developers. +Patch0: backport-nlmsg-fix-false-positives-when-validating-buffer-siz.patch + %description libmnl is a minimalistic user-space library oriented to Netlink developers. There are a lot of common tasks in parsing, validating, constructing of both @@ -25,7 +27,7 @@ Obsoletes: libmnl-static The devel package provide header files and dynamic libraries for libmnl. %prep -%setup -q +%autosetup -n %{name}-%{version} -p1 %build %configure --enable-static --with-doxygen=no @@ -55,6 +57,12 @@ mv examples examples-%{_arch} %{_libdir}/pkgconfig/*.pc %changelog +* Fri Aug 02 2024 zhouyihang - 1.0.5-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:nlmsg: fix false positives when validating buffer sizes + * Sat Mar 25 2023 zhouyihang - 1.0.5-2 - Type:bugfix - ID:NA