Skip to content

fix lldpad netlink heap access overrun #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chunjiez wants to merge 1 commit into from
Closed

fix lldpad netlink heap access overrun #122

chunjiez wants to merge 1 commit into from

Conversation

@chunjiez
Copy link
Contributor

@chunjiez chunjiez commented Feb 20, 2025

If lldpad runs on top of some new versions of linux kernel (e.g. 6.10), then netlink message size would be larger than NLMSG_SIZE. In this case, lldpad application would crash due to heap access overrun.

penguin359
penguin359 requested changes Feb 20, 2025
View reviewed changes
Copy link
Contributor

@penguin359 penguin359 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There should be no heap overrun or crash on the call to recv() because we pass the exact size of the allocated buffer. However, the parsing code of the netlink might have that possibility if they have embedded lengths and a truncated packet comes in. I'm not too familiar with how the netlink interface handles that case.

The logic generally seems sound with just a few comments added.

@chunjiez chunjiez requested a review from penguin359 February 25, 2025 04:53
@chunjiez
Copy link
Contributor Author

chunjiez commented Mar 3, 2025

@penguin359 , could you please review the updated commit?

penguin359
penguin359 approved these changes Mar 3, 2025
View reviewed changes
Copy link
Contributor

@penguin359 penguin359 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have finished my review and this seems reasonable. There is a possibility with the original code that if additional attributes are added to the message that the parsing code will overflow the default buffer size. From my own experiments with rtnetlink(2) this week-end, some netlink messages are indeed larger than 1024 bytes, but it seems none of the ones received by us so far.

It actually brings up a bigger issue with our use of the libnl API. We should be calling nlmsg_ok() on all received packets before any call to nlmsg_parse() as that does the bounds checking to make sure that the buffer has enough bytes in it to account for the total size of the message listed in it's header. If we had that check, then we would simply return an error with the original code instead of crashing due to out-of-bounds memory access.

Also, libnl does offer a function to handle much of the logic that is being added here in nl_recv() and friends, but are perhaps overkill with what they provide.

I see several other places in the code that seem to go into parsing netlink packets without a proper check that the advertised length is less than or equal to the buffer length for the packet. This includes a second, nearly identical use of nlmsg_parse() in this very same file. I approve this PR as is, but we should probably open an issue that tracks further improvements.

@penguin359 penguin359 mentioned this pull request Mar 3, 2025
Open
@penguin359 penguin359 assigned penguin359 and apconole and unassigned penguin359 Mar 3, 2025
@penguin359 penguin359 added the bug label Mar 3, 2025
@chunjiez chunjiez requested a review from penguin359 March 4, 2025 02:09
@apconole
Copy link
Contributor

apconole commented Mar 10, 2025

Can you please squash into a single commit @chunjiez

@chunjiez
fix lldpad netlink heap access overrun
3201522 
Signed-off-by: Chunjie Zhu <chunjie.zhu@cloud.com>
@chunjiez
Copy link
Contributor Author

chunjiez commented Mar 12, 2025

@apconole done

@apconole
Copy link
Contributor

apconole commented Mar 18, 2025

Thanks. Applied, and added a fixes tag.

@apconole apconole closed this Mar 18, 2025
@penguin359 penguin359 mentioned this pull request Mar 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@penguin359 penguin359 Awaiting requested review from penguin359

Assignees

@apconole apconole

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chunjiez @apconole @penguin359