netlink_send is supposed to send just the cn_msg+hv_kvp_msg via netlink.
Currently it sets an incorrect iovec size, as reported by valgrind.
In the case of registering with the kernel the allocated buffer is large
enough to hold nlmsghdr+cn_msg+hv_kvp_msg, no overrun happens. In the
case of responding to the kernel the cn_msg is located in the middle of
recv_buffer, after the nlmsghdr. Currently the code in netlink_send adds
also the size of nlmsghdr to the payload. But nlmsghdr is a separate
iovec. This leads to an (harmless) out-of-bounds access when the kernel
processes the iovec. Correct the iovec size of the cn_msg to be just
cn_msg + its payload.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
char buffer[64];
struct iovec iov[2];
- size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+ size = sizeof(struct cn_msg) + msg->len;
nlh = (struct nlmsghdr *)buffer;
nlh->nlmsg_seq = 0;
char buffer[64];
struct iovec iov[2];
- size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+ size = sizeof(struct cn_msg) + msg->len;
nlh = (struct nlmsghdr *)buffer;
nlh->nlmsg_seq = 0;