]> granicus.if.org Git - libnl/commitdiff
lib/route: pass sizeof() argument to nl_memcpy()
authorThomas Haller <thaller@redhat.com>
Tue, 29 Nov 2016 11:38:03 +0000 (12:38 +0100)
committerThomas Haller <thaller@redhat.com>
Tue, 29 Nov 2016 11:38:07 +0000 (12:38 +0100)
nl_memcpy() internally already never copies more then
nla_len(tb). The previous code might overflow if the
netlink attribute is longer then the size of the destination.

Signed-off-by: Thomas Haller <thaller@redhat.com>
lib/route/link.c

index 873d488f8f958a05326fb6508d9c13240951f89e..f9d9b93a49a7bd603b21b8e4953bf734113d32d5 100644 (file)
@@ -400,7 +400,7 @@ int rtnl_link_info_parse(struct rtnl_link *link, struct nlattr **tb)
                /* beware: @st might not be the full struct, only fields up to
                 * tx_compressed are present. See _nl_offset_plus_sizeof() above. */
 
-               if (nla_len(tb[IFLA_STATS]) > _nl_offset_plus_sizeof (struct rtnl_link_stats, tx_compressed))
+               if (nla_len(tb[IFLA_STATS]) >= _nl_offset_plus_sizeof (struct rtnl_link_stats, rx_nohandler))
                        link->l_stats[RTNL_LINK_RX_NOHANDLER] = st->rx_nohandler;
                else
                        link->l_stats[RTNL_LINK_RX_NOHANDLER] = 0;
@@ -418,7 +418,7 @@ int rtnl_link_info_parse(struct rtnl_link *link, struct nlattr **tb)
                 */
                struct rtnl_link_stats64 st = { 0 };
 
-               nla_memcpy(&st, tb[IFLA_STATS64], nla_len(tb[IFLA_STATS64]));
+               nla_memcpy(&st, tb[IFLA_STATS64], sizeof (st));
 
                link->l_stats[RTNL_LINK_RX_PACKETS]     = st.rx_packets;
                link->l_stats[RTNL_LINK_TX_PACKETS]     = st.tx_packets;