On Wed, 12 Sep 2018 16:29:28 -0700
Mahesh Bandewar <mah...@bandewar.net> wrote:
> From: Mahesh Bandewar <mahe...@google.com>
>
> A local program using iproute2 lib pointed out the issue and looking
> at the code it is pretty obvious -
>
> a = (struct nlmsghdr *)b;
> ...
> free(b);
> if (a->nlmsg_seq == seq)
> ...
>
> Fixes: 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support malloc buff
> at run time")
> Signed-off-by: Mahesh Bandewar <mahe...@google.com>
Yes, this is a real problem.
Maybe a minimal patch like this would be enough:
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 928de1dd16d8..ab2d8452e4a1 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -661,6 +661,8 @@ next:
if (l < sizeof(struct nlmsgerr)) {
fprintf(stderr, "ERROR truncated\n");
} else if (!err->error) {
+ __u32 err_seq = h->nlmsg_seq;
+
/* check messages from kernel */
nl_dump_ext_ack(h, errfn);
@@ -668,7 +670,8 @@ next:
*answer = (struct nlmsghdr
*)buf;
else
free(buf);
- if (h->nlmsg_seq == seq)
+
+ if (err_seq == seq)
return 0;
else if (i < iovlen)
goto next;
