libnl: don't use out-of-scope buffer in nl_send_iovec()
authorAndrew Vagin <avagin@virtuozzo.com>
Mon, 23 Nov 2015 14:23:20 +0000 (17:23 +0300)
committerThomas Haller <thaller@redhat.com>
Tue, 24 Nov 2015 12:44:48 +0000 (13:44 +0100)
The control message buffer is desclared in the if body
and then this buffer is used outside.

http://lists.infradead.org/pipermail/libnl/2015-November/002013.html

Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Thomas Haller <thaller@redhat.com>
lib/nl.c

index cba42170a70e1eb0e4435ae4943f148aad72e4e1..2d1ce81cca3284937fad5da473a9ae43d18ec397 100644 (file)
--- a/lib/nl.c
+++ b/lib/nl.c
@@ -384,6 +384,7 @@ int nl_send_iovec(struct nl_sock *sk, struct nl_msg *msg, struct iovec *iov, uns
                .msg_iov = iov,
                .msg_iovlen = iovlen,
        };
+       char buf[CMSG_SPACE(sizeof(struct ucred))];
 
        /* Overwrite destination if specified in the message itself, defaults
         * to the peer address of the socket.
@@ -395,7 +396,6 @@ int nl_send_iovec(struct nl_sock *sk, struct nl_msg *msg, struct iovec *iov, uns
        /* Add credentials if present. */
        creds = nlmsg_get_creds(msg);
        if (creds != NULL) {
-               char buf[CMSG_SPACE(sizeof(struct ucred))];
                struct cmsghdr *cmsg;
 
                hdr.msg_control = buf;