util: Fix stack smashing in virNetDevGetFamilyId

After commit 8708ca01 libvirtd consistently aborts with "stack smashing detected" when nodedev driver is initialized. This is caused by nlmsg_parse() being told that its array of nlattr* has CTRL_CMD_MAX (10) entries, when in fact it is declared to have CTRL_ATTR_MAX (8) entries. Since all the entries are initialized to NULL, the result is that nlmsg_parse is overwriting 2*(sizof(nlattr*)) bytes outside the array. Signed-off-by: N Laine Stump <laine@laine.org> Reviewed-by: N John Ferlan <jferlan@redhat.com> Signed-off-by: N Jiri Denemark <jdenemar@redhat.com>

util: Fix stack smashing in virNetDevGetFamilyId
After commit 8708ca01 libvirtd consistently aborts with "stack smashing detected" when nodedev driver is initialized. This is caused by nlmsg_parse() being told that its array of nlattr* has CTRL_CMD_MAX (10) entries, when in fact it is declared to have CTRL_ATTR_MAX (8) entries. Since all the entries are initialized to NULL, the result is that nlmsg_parse is overwriting 2*(sizof(nlattr*)) bytes outside the array. Signed-off-by: N Laine Stump <laine@laine.org> Reviewed-by: N John Ferlan <jferlan@redhat.com> Signed-off-by: N Jiri Denemark <jdenemar@redhat.com>
17825e8a · Laine Stump · Jiri Denemark · b1d87f9a · 17825e8a
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

src/util/virnetdev.c src/util/virnetdev.c +1 -1

未找到文件。
--- a/src/util/virnetdev.c
+++ b/src/util/virnetdev.c
@@ -3183,7 +3183,7 @@ virNetDevGetFamilyId(const char *family_name)
    if (virNetlinkCommand(nl_msg, &resp, &recvbuflen, 0, 0, NETLINK_GENERIC, 0) < 0)
        goto cleanup;

-    if (nlmsg_parse(resp, sizeof(struct nlmsghdr), tb, CTRL_CMD_MAX, NULL) < 0) {
+    if (nlmsg_parse(resp, sizeof(struct nlmsghdr), tb, CTRL_ATTR_MAX, NULL) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("malformed netlink response message"));
        goto cleanup;