From 8e4576b9fdb5c888d20a13aa2cc198df790dba54 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Fri, 18 Jul 2014 13:34:33 +0200 Subject: netlink: fix crash in netlink-monitor validating netlink messages The wrong callback data pointer was passed to the netlink message validation function. Since libnl commit 4dd5fdd0af2c0b7ffe1dbc49313f263dbb2e906f, nl_socket_get_local_port() actually modifes the provided @sk pointer. Hence, since libnl 3.2.25 NM will crash due to this bug. #0 _nl_socket_generate_local_port_no_release (sk=0x715500) at socket.c:339 #1 0x00007ffff76f3ad5 in nl_socket_get_local_port (sk=sk@entry=0x715500) at socket.c:369 #2 0x000000000046b81a in event_msg_recv (msg=, arg=0x715500) at nm-netlink-monitor.c:204 #3 0x00007ffff76f2604 in nl_cb_call (msg=0x71f240, type=5, cb=0x71f150) at ../include/netlink-private/netlink.h:141 #4 recvmsgs (cb=0x71f150, sk=0x71f070) at nl.c:823 #5 nl_recvmsgs_report (sk=sk@entry=0x71f070, cb=cb@entry=0x71f150) at nl.c:1003 #6 0x00007ffff76f2bc9 in nl_recvmsgs (sk=sk@entry=0x71f070, cb=cb@entry=0x71f150) at nl.c:1027 #7 0x00007ffff76ec6b8 in __cache_pickup (sk=sk@entry=0x71f070, cache=cache@entry=0x71f0c0, param=param@entry=0x7fffffffd3f0) at cache.c:701 #8 0x00007ffff76ed0dd in nl_cache_pickup (sk=sk@entry=0x71f070, cache=cache@entry=0x71f0c0) at cache.c:753 #9 0x00007ffff76ed2d8 in nl_cache_refill (sk=sk@entry=0x71f070, cache=cache@entry=0x71f0c0) at cache.c:983 #10 0x00007ffff7b224db in rtnl_link_alloc_cache (sk=0x71f070, family=family@entry=0, result=result@entry=0x7154e0) at route/link.c:1029 #11 0x000000000046c5f7 in sync_connection_setup (self=self@entry=0x715500, error=error@entry=0x7fffffffd4f8) at nm-netlink-monitor.c:412 #12 0x000000000046c91f in nm_netlink_monitor_open_connection (self=0x715500, error=error@entry=0x7fffffffd4f8) at nm-netlink-monitor.c:447 #13 0x000000000046cad7 in nm_netlink_monitor_get () at nm-netlink-monitor.c:840 #14 0x00000000004558b9 in main (argc=1, argv=0x7fffffffd958) at main.c:527 Reported-by: Jan Engelhardt Fixes: 9fee99e1230580067efb33f3aaea0fddad5cfe66 Signed-off-by: Thomas Haller diff --git a/src/nm-netlink-monitor.c b/src/nm-netlink-monitor.c index ba8053e..593dec9 100644 --- a/src/nm-netlink-monitor.c +++ b/src/nm-netlink-monitor.c @@ -285,7 +285,7 @@ nlh_setup (struct nl_sock *nlh, { int err; - nl_socket_modify_cb (nlh, NL_CB_MSG_IN, NL_CB_CUSTOM, event_msg_recv, cb_data); + nl_socket_modify_cb (nlh, NL_CB_MSG_IN, NL_CB_CUSTOM, event_msg_recv, nlh); if (valid_func) nl_socket_modify_cb (nlh, NL_CB_VALID, NL_CB_CUSTOM, valid_func, cb_data); -- cgit v0.10.2