Re: CVE request: libcgroup: Failure to verify netlink messages

[Steve Grubb <sgrubb () redhat com>]

On Friday, February 25, 2011 10:43:20 am Nelson Elhage wrote:
> On Fri, Feb 25, 2011 at 10:20:02AM -0500, Steve Grubb wrote:
> > The current patch does not check if (from_nla_len != sizeof(from_nla))
> > before making decisions based on the header. I contacted upstream about
> > this.
>
> From my reading of the netlink code, recvmsg() / recvfrom() on a netlink
> socket will never return a from_nla_len != sizeof(struct sockaddaddr_nl).
> Am I missing something, did this change at some point, or are you just
> suggesting general paranoid good practice? It's probably good advice in
> any case, I'm just curious whether you're aware of cases where this can
> actually be a problem.


I don't know what is considered the ultimate authority on this. You can look at libnl 
in lib/nl.c you find this:

466         if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
467                 free(msg.msg_control);
468                 free(*buf);
469                 return -NLE_NOADDR;
470         }

There are many projects that do something similar. However, looking at glibc, they do 
other kinds of validation like the sequence number.

-Steve