libnl3/nla-reserve.diff

From c473d59f972c35c5a7363d52ee6ee1e0792de0f8 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 18 Jan 2017 11:59:23 +0100
Subject: [PATCH] lib/attr.c: check for valid length argument in nla_reserve()

https://github.com/thom311/libnl/issues/124
---
 lib/attr.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/attr.c b/lib/attr.c
index a3d1b16..0dca3ec 100644
--- a/lib/attr.c
+++ b/lib/attr.c
@@ -457,7 +457,10 @@ struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
 {
 	struct nlattr *nla;
 	int tlen;
-	
+
+	if (attrlen < 0)
+		return NULL;
+
 	tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
 
 	if (tlen > msg->nm_size)
@@ -499,8 +502,12 @@ int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
 	struct nlattr *nla;
 
 	nla = nla_reserve(msg, attrtype, datalen);
-	if (!nla)
+	if (!nla) {
+		if (datalen < 0)
+			return -NLE_INVAL;
+
 		return -NLE_NOMEM;
+	}
 
 	if (datalen > 0) {
 		memcpy(nla_data(nla), data, datalen);
-- 
2.11.0