From abec8c498c73074be56005424f5909658af19270 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 20 Dec 2021 12:28:35 -0500 Subject: [PATCH] Break netlink address fetch on invalid rta_len It is considered valid for kernel to return a null rta_len in the midst of data and expect the caller to terminate. --- .../common/initramfs/opt/confluent/bin/apiclient | 4 ++-- confluent_server/confluent/netutil.py | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient index 9eb9e836..11d3758e 100644 --- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient +++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient @@ -55,10 +55,10 @@ def get_my_addresses(): rta = v[nlhdrsz+ifaddrsz:length] while len(rta): rtalen, rtatyp = struct.unpack('HH', rta[:4]) + if rtalen < 4: + break if rtatyp == 1: addrs.append((fam, rta[4:rtalen], plen, ridx)) - if not rtalen: - break rta = rta[rtalen:] v = v[length:] return addrs diff --git a/confluent_server/confluent/netutil.py b/confluent_server/confluent/netutil.py index 344940f6..c7846a30 100644 --- a/confluent_server/confluent/netutil.py +++ b/confluent_server/confluent/netutil.py @@ -563,6 +563,8 @@ def get_my_addresses(idx=0, family=0, matchlla=None): rta = v[nlhdrsz+ifaddrsz:length] while len(rta): rtalen, rtatyp = struct.unpack('HH', rta[:4]) + if rtalen < 4: + break if rta[4:rtalen].tobytes() == matchlla: return get_my_addresses(idx=ridx) rta = rta[rtalen:] @@ -570,10 +572,10 @@ def get_my_addresses(idx=0, family=0, matchlla=None): rta = v[nlhdrsz+ifaddrsz:length] while len(rta): rtalen, rtatyp = struct.unpack('HH', rta[:4]) + if rtalen < 4: + break if rtatyp == 1: addrs.append((fam, rta[4:rtalen].tobytes(), plen, ridx)) - if not rtalen: - break rta = rta[rtalen:] v = v[length:] return addrs