ip-link: Fix use after free in nl_get_ll_addr_len()
Immediately after freeing the buffer returned from rtnl_talk(), it is
accessed again via pointer in struct rtattr array. This leads to some
builds not allowing to set an interface's MAC address because the
expected length value is garbage.
Fixes: 86bf43c7c2 ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
Signed-off-by: Phil Sutter <phil@nwl.cc>
This commit is contained in:
Phil Sutter
Stephen Hemminger
parent
a0405444f7
commit
06867c3719
|
|
@ -276,8 +276,9 @@ static int nl_get_ll_addr_len(unsigned int dev_index)
|
|||
return -1;
|
||||
}
|
||||
|
||||
len = RTA_PAYLOAD(tb[IFLA_ADDRESS]);
|
||||
free(answer);
|
||||
return RTA_PAYLOAD(tb[IFLA_ADDRESS]);
|
||||
return len;
|
||||
}
|
||||
|
||||
static void iplink_parse_vf_vlan_info(int vf, int *argcp, char ***argvp,
|
||||
|
|
|
|||
Loading…
Reference in New Issue