From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Re: [PATCH iproute2] iproute2: fix use-after-free Date: Wed, 12 Sep 2018 17:33:20 -0700 Message-ID: <20180912173320.68048381@xeon-e3> References: <20180912232928.166085-1-mahesh@bandewar.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: netdev , Mahesh Bandewar To: Mahesh Bandewar Return-path: Received: from mail-pg1-f193.google.com ([209.85.215.193]:39287 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726261AbeIMFk0 (ORCPT ); Thu, 13 Sep 2018 01:40:26 -0400 Received: by mail-pg1-f193.google.com with SMTP id i190-v6so1875010pgc.6 for ; Wed, 12 Sep 2018 17:33:27 -0700 (PDT) In-Reply-To: <20180912232928.166085-1-mahesh@bandewar.net> Sender: netdev-owner@vger.kernel.org List-ID: On Wed, 12 Sep 2018 16:29:28 -0700 Mahesh Bandewar wrote: > From: Mahesh Bandewar > > A local program using iproute2 lib pointed out the issue and looking > at the code it is pretty obvious - > > a = (struct nlmsghdr *)b; > ... > free(b); > if (a->nlmsg_seq == seq) > ... > > Fixes: 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support malloc buff at run time") > Signed-off-by: Mahesh Bandewar Yes, this is a real problem. Maybe a minimal patch like this would be enough: diff --git a/lib/libnetlink.c b/lib/libnetlink.c index 928de1dd16d8..ab2d8452e4a1 100644 --- a/lib/libnetlink.c +++ b/lib/libnetlink.c @@ -661,6 +661,8 @@ next: if (l < sizeof(struct nlmsgerr)) { fprintf(stderr, "ERROR truncated\n"); } else if (!err->error) { + __u32 err_seq = h->nlmsg_seq; + /* check messages from kernel */ nl_dump_ext_ack(h, errfn); @@ -668,7 +670,8 @@ next: *answer = (struct nlmsghdr *)buf; else free(buf); - if (h->nlmsg_seq == seq) + + if (err_seq == seq) return 0; else if (i < iovlen) goto next;