attr.c: fix nla_reserve size check

author Felix Fietkau <[email protected]>

Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)

committer Felix Fietkau <[email protected]>

Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)
author Felix Fietkau <[email protected]>
Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)
committer Felix Fietkau <[email protected]>
Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)
diff --git a/attr.c b/attr.c

index 2c1d354e86258516810d13854b21f25153a86734..d251c25c63000c65b67023dcadcbcdbb7577e47f 100644 (file)
--- a/attr.c
+++ b/attr.c
@@ -618,11 +618,11 @@ struct nlattr *nla_find(struct nlattr *head, int len, int attrtype)
  struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
  {
         struct nlattr *nla;
-       int tlen;
-       
+       size_t tlen;
+
         tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
  
-       if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size)
+       if (tlen > msg->nm_size || tlen > UINT32_MAX)
                 return NULL;
  
         nla = (struct nlattr *) nlmsg_tail(msg->nm_nlh);
author	Felix Fietkau <[email protected]>
	Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)
committer	Felix Fietkau <[email protected]>
	Wed, 19 Mar 2025 12:17:08 +0000 (13:17 +0100)