Tools: hv: correct payload size in netlink_send

netlink_send is supposed to send just the cn_msg+hv_kvp_msg via netlink. Currently it sets an incorrect iovec size, as reported by valgrind. In the case of registering with the kernel the allocated buffer is large enough to hold nlmsghdr+cn_msg+hv_kvp_msg, no overrun happens. In the case of responding to the kernel the cn_msg is located in the middle of recv_buffer, after the nlmsghdr. Currently the code in netlink_send adds also the size of nlmsghdr to the payload. But nlmsghdr is a separate iovec. This leads to an (harmless) out-of-bounds access when the kernel processes the iovec. Correct the iovec size of the cn_msg to be just cn_msg + its payload. Signed-off-by: Olaf Hering <olaf@aepfle.de> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Olaf Hering <olaf@aepfle.de> 2013-08-07 09:07:21 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-08-12 18:44:57 -0400
commit: 2bc41ea3b3fd4c2f2473ec84f4ee3ef5ff21e49b (patch)
tree: d4d4b6e5554887ee55d7340f3251757bb8992d21 /tools/hv
parent: d3b688c6622334e8460e808755d7d9c4a78c3ae5 (diff)
2 files changed, 2 insertions, 2 deletions
diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
index b96eccce48e3..dca06a26ee2a 100644
--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -1398,7 +1398,7 @@ netlink_send(int fd, struct cn_msg *msg)
        char buffer[64];
        struct iovec iov[2];
-        size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+        size = sizeof(struct cn_msg) + msg->len;
        nlh = (struct nlmsghdr *)buffer;
        nlh->nlmsg_seq = 0;
diff --git a/tools/hv/hv_vss_daemon.c b/tools/hv/hv_vss_daemon.c
index 4213d0e3083f..7cd2544aa49b 100644
--- a/tools/hv/hv_vss_daemon.c
+++ b/tools/hv/hv_vss_daemon.c
@@ -111,7 +111,7 @@ static int netlink_send(int fd, struct cn_msg *msg)
        char buffer[64];
        struct iovec iov[2];
-        size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+        size = sizeof(struct cn_msg) + msg->len;
        nlh = (struct nlmsghdr *)buffer;
        nlh->nlmsg_seq = 0;
author	Olaf Hering <olaf@aepfle.de>	2013-08-07 09:07:21 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-08-12 18:44:57 -0400
commit	2bc41ea3b3fd4c2f2473ec84f4ee3ef5ff21e49b (patch)
tree	d4d4b6e5554887ee55d7340f3251757bb8992d21 /tools/hv
parent	d3b688c6622334e8460e808755d7d9c4a78c3ae5 (diff)

diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c index b96eccce48e3..dca06a26ee2a 100644 --- a/tools/hv/hv_kvp_daemon.c +++ b/tools/hv/hv_kvp_daemon.c
@@ -1398,7 +1398,7 @@ netlink_send(int fd, struct cn_msg *msg)
1398	char buffer[64];	1398	char buffer[64];
1399	struct iovec iov[2];	1399	struct iovec iov[2];
1400		1400
1401	size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);	1401	size = sizeof(struct cn_msg) + msg->len;
1402		1402
1403	nlh = (struct nlmsghdr *)buffer;	1403	nlh = (struct nlmsghdr *)buffer;
1404	nlh->nlmsg_seq = 0;	1404	nlh->nlmsg_seq = 0;


diff --git a/tools/hv/hv_vss_daemon.c b/tools/hv/hv_vss_daemon.c index 4213d0e3083f..7cd2544aa49b 100644 --- a/tools/hv/hv_vss_daemon.c +++ b/tools/hv/hv_vss_daemon.c
@@ -111,7 +111,7 @@ static int netlink_send(int fd, struct cn_msg *msg)
111	char buffer[64];	111	char buffer[64];
112	struct iovec iov[2];	112	struct iovec iov[2];
113		113
114	size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);	114	size = sizeof(struct cn_msg) + msg->len;
115		115
116	nlh = (struct nlmsghdr *)buffer;	116	nlh = (struct nlmsghdr *)buffer;
117	nlh->nlmsg_seq = 0;	117	nlh->nlmsg_seq = 0;