libnl: Check data length in nla_reserve / nla_put
Ensure predictable behavior when negative values are passed
to these methods.
Bug: 32255299
Change-Id: I14d2e4a65e5b208554821f9d3ed4e3244464dfd6
Test: Recompile (integration tests will also run)
(cherry picked from commit f01b03b81ab86d2b4c0f874a438ff672d9fcc191)
diff --git a/lib/attr.c b/lib/attr.c
index 298fbb1..8394330 100644
--- a/lib/attr.c
+++ b/lib/attr.c
@@ -800,6 +800,9 @@
struct nlattr *nla;
int tlen;
+ if (attrlen < 0)
+ return NULL;
+
tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size)
@@ -838,6 +841,9 @@
{
struct nlattr *nla;
+ if (datalen < 0)
+ return -NLE_RANGE;
+
nla = nla_reserve(msg, attrtype, datalen);
if (!nla)
return -NLE_NOMEM;