From b3dfa79010dcb0f12d68903ba8fb8367d8bee0da Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Sun, 14 Aug 2016 11:44:53 +0200
Subject: [PATCH] nl-addr: avoid read-out-of-bound in nl_addr_fill_sockaddr()

https://github.com/thom311/libnl/issues/103

Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 include/netlink/utils.h |  7 +++++++
 lib/addr.c              | 16 ++++++++++++++--
 lib/utils.c             |  2 +-
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/include/netlink/utils.h b/include/netlink/utils.h
index 1115bb4..4e2a90a 100644
--- a/include/netlink/utils.h
+++ b/include/netlink/utils.h
@@ -224,6 +224,13 @@ enum {
 	NL_CAPABILITY_RTNL_ADDR_PEER_ID_FIX = 20,
 #define NL_CAPABILITY_RTNL_ADDR_PEER_ID_FIX NL_CAPABILITY_RTNL_ADDR_PEER_ID_FIX
 
+	/**
+	 * nl_addr_fill_sockaddr() properly checks that the provided address to
+	 * avoid read-out-of-bounds for invalid addresses.
+	 */
+	NL_CAPABILITY_NL_ADDR_FILL_SOCKADDR = 21,
+#define NL_CAPABILITY_NL_ADDR_FILL_SOCKADDR NL_CAPABILITY_NL_ADDR_FILL_SOCKADDR
+
 	__NL_CAPABILITY_MAX,
 	NL_CAPABILITY_MAX = (__NL_CAPABILITY_MAX - 1),
 #define NL_CAPABILITY_MAX NL_CAPABILITY_MAX
diff --git a/lib/addr.c b/lib/addr.c
index 3337878..8cf64c2 100644
--- a/lib/addr.c
+++ b/lib/addr.c
@@ -707,8 +707,14 @@ int nl_addr_fill_sockaddr(const struct nl_addr *addr, struct sockaddr *sa,
 		if (*salen < sizeof(*sai))
 			return -NLE_INVAL;
 
+		if (addr->a_len == 4)
+			memcpy(&sai->sin_addr, addr->a_addr, 4);
+		else if (addr->a_len != 0)
+			return -NLE_INVAL;
+		else
+			memset(&sai->sin_addr, 0, 4);
+
 		sai->sin_family = addr->a_family;
-		memcpy(&sai->sin_addr, addr->a_addr, 4);
 		*salen = sizeof(*sai);
 	}
 		break;
@@ -719,8 +725,14 @@ int nl_addr_fill_sockaddr(const struct nl_addr *addr, struct sockaddr *sa,
 		if (*salen < sizeof(*sa6))
 			return -NLE_INVAL;
 
+		if (addr->a_len == 16)
+			memcpy(&sa6->sin6_addr, addr->a_addr, 16);
+		else if (addr->a_len != 0)
+			return -NLE_INVAL;
+		else
+			memset(&sa6->sin6_addr, 0, 16);
+
 		sa6->sin6_family = addr->a_family;
-		memcpy(&sa6->sin6_addr, addr->a_addr, 16);
 		*salen = sizeof(*sa6);
 	}
 		break;
diff --git a/lib/utils.c b/lib/utils.c
index 3e98ab5..61c3d95 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -1165,7 +1165,7 @@ int nl_has_capability (int capability)
 			NL_CAPABILITY_RTNL_ADDR_PEER_FIX,
 			NL_CAPABILITY_VERSION_3_2_28,
 			NL_CAPABILITY_RTNL_ADDR_PEER_ID_FIX,
-			0,
+			NL_CAPABILITY_NL_ADDR_FILL_SOCKADDR,
 			0,
 			0,
 			0),
-- 
2.50.1