Commit 2bc41ea3 authored Aug 07, 2013 by Olaf Hering Committed by Greg Kroah-Hartman Aug 12, 2013

Tools: hv: correct payload size in netlink_send

netlink_send is supposed to send just the cn_msg+hv_kvp_msg via netlink.
Currently it sets an incorrect iovec size, as reported by valgrind.

In the case of registering with the kernel the allocated buffer is large
enough to hold nlmsghdr+cn_msg+hv_kvp_msg, no overrun happens. In the
case of responding to the kernel the cn_msg is located in the middle of
recv_buffer, after the nlmsghdr. Currently the code in netlink_send adds
also the size of nlmsghdr to the payload. But nlmsghdr is a separate
iovec. This leads to an (harmless) out-of-bounds access when the kernel
processes the iovec. Correct the iovec size of the cn_msg to be just
cn_msg + its payload.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent d3b688c6

tools/hv/hv_kvp_daemon.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1398,7 +1398,7 @@ netlink_send(int fd, struct cn_msg *msg)
		char buffer[64];
		struct iovec iov[2];

		size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
		size = sizeof(struct cn_msg) + msg->len;

		nlh = (struct nlmsghdr *)buffer;
		nlh->nlmsg_seq = 0;

tools/hv/hv_vss_daemon.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -111,7 +111,7 @@ static int netlink_send(int fd, struct cn_msg *msg)
		char buffer[64];
		struct iovec iov[2];

		size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
		size = sizeof(struct cn_msg) + msg->len;

		nlh = (struct nlmsghdr *)buffer;
		nlh->nlmsg_seq = 0;

Admin message