Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1746162199, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"e02390f287c88218a74cc9d962f40bc9", "commit": {"type":"commit", "time": 1622034447, "time_ofs": 60, "oid_tree": { "oid": "d9db28ff2148abbb5e1cb35a3db1b4374b44f92c", "alias": []}, "oid":{ "oid": "4341d756ae34bfc946f8871f8479b3eae48063dc", "alias": []}, "msg": "netlink: fix UB on RTM_NEWADDR/RTM_DELADDR", "sig_commit": { "git_time": { "time": 1622034447, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1622022336, "offset": 180 }, "name": "Andrey Grafin", "email": "conquistador@yandex-team.ru", "md5": "97d14db7f5ab2cdb2540d64cb73b0a2e" }}, "body": "netlink: fix UB on RTM_NEWADDR/RTM_DELADDR\n\nthis patch makes ubsan (-fsanitize-undefined-trap-on-error) happy.\n\nlet's look at the following scenario:\n1. netlink sends RTM_NEWADDR/RTM_DELADDR message\n2. rops_handle_POLLIN_netlink() handles message attributes as RTA_*\n3. rops_handle_POLLIN_netlink() finds RTA_PRIORITY attribute and\nhandles it as u32 value, but it's IFA_CACHEINFO attribute in reality\nand payload holds another type\n4. ubsan throws SIGTRAP\n\nso, don't handle RTM_NEWADDR/RTM_DELADDR attributes as RTA_*\n" , "diff": "diff --git a/lib/roles/netlink/ops-netlink.c b/lib/roles/netlink/ops-netlink.c\nindex 9ad87f6..bd36c31 100644\n--- a/lib/roles/netlink/ops-netlink.c\n+++ b/lib/roles/netlink/ops-netlink.c\n@@ -203,7 +203,12 @@ rops_handle_POLLIN_netlink(struct lws_context_per_thread *pt, struct lws *wsi,\n \t\t\tlwsl_netlink(\u0022%s: %s\u005cn\u0022, __func__,\n \t\t\t\t h-\u003enlmsg_type \u003d\u003d RTM_NEWADDR ?\n \t\t\t\t\t\t \u0022NEWADDR\u0022 : \u0022DELADDR\u0022);\n-\t\t\tbreak;\n+\n+\t\t\t/*\n+\t\t\t * almost nothing interesting within IFA_* attributes:\n+\t\t\t * so skip it and goto to the second half\n+\t\t\t */\n+\t\t\tgoto second_half;\n \n \t\tcase RTM_NEWROUTE:\n \t\tcase RTM_DELROUTE:\n@@ -252,6 +257,7 @@ rops_handle_POLLIN_netlink(struct lws_context_per_thread *pt, struct lws *wsi,\n \n \t\trobj.proto \u003d rm-\u003ertm_protocol;\n \n+\t\t// iterate over route attributes\n \t\tfor ( ; RTA_OK(ra, ra_len); ra \u003d RTA_NEXT(ra, ra_len)) {\n \t\t\t// lwsl_netlink(\u0022%s: atr %d\u005cn\u0022, __func__, ra-\u003erta_type);\n \t\t\tswitch (ra-\u003erta_type) {\n@@ -280,11 +286,8 @@ rops_handle_POLLIN_netlink(struct lws_context_per_thread *pt, struct lws *wsi,\n \t\t\t\tbreak;\n \t\t\tcase RTA_IIF: /* int: input interface index */\n \t\t\tcase RTA_OIF: /* int: output interface index */\n-\t\t\t\tif (h-\u003enlmsg_type !\u003d RTM_NEWADDR \u0026\u0026\n-\t\t\t\t h-\u003enlmsg_type !\u003d RTM_DELADDR) {\n-\t\t\t\t\trobj.if_idx \u003d *(int *)RTA_DATA(ra);\n-\t\t\t\t\tlwsl_netlink(\u0022%s: ifidx %d\u005cn\u0022, __func__, robj.if_idx);\n-\t\t\t\t}\n+\t\t\t\trobj.if_idx \u003d *(int *)RTA_DATA(ra);\n+\t\t\t\tlwsl_netlink(\u0022%s: ifidx %d\u005cn\u0022, __func__, robj.if_idx);\n \t\t\t\tbreak;\n \t\t\tcase RTA_PRIORITY: /* int: priority of route */\n \t\t\t\tp \u003d RTA_DATA(ra);\n@@ -310,8 +313,7 @@ rops_handle_POLLIN_netlink(struct lws_context_per_thread *pt, struct lws *wsi,\n \t\t/*\n \t\t * the second half, once all the attributes were collected\n \t\t */\n-\n-\n+second_half:\n \t\tswitch (h-\u003enlmsg_type) {\n \n \t\tcase RTM_DELROUTE:\n","s":{"c":1746162199,"u": 2217}} ],"g": 3427,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}