[PATCH] libnl: report an error if unexpected control data was received

[Andrey Vagin]

Currently, we try to handle MSG_CTRUNC, but if msg_controllen is zero, we make
double free for the same address.

realloc(0, 0) returns non-zero address
realloc(addr, 0) returns zero and free(addr) has already been called

Then we call free(addr) again and get an error like this:

*** Error in `./task_diag_all': double free or corruption (fasttop): 0x0000000000f9c160 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x77e9d)[0x7f360ed96e9d]
/lib64/libc.so.6(+0x7f53c)[0x7f360ed9e53c]
/lib64/libc.so.6(cfree+0x4c)[0x7f360eda2e9c]
/lib64/libnl-3.so.200(nl_recv+0x221)[0x7f360f2f6361]
/lib64/libnl-3.so.200(nl_recvmsgs_report+0x555)[0x7f360f2f6a95]
/lib64/libnl-3.so.200(nl_recvmsgs+0x9)[0x7f360f2f6d89]
./task_diag_all[0x400f8d]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f360ed3f790]
./task_diag_all[0x401169]

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 lib/nl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/nl.c b/lib/nl.c
index c93b6a5..cba4217 100644
--- a/lib/nl.c
+++ b/lib/nl.c
@@ -721,6 +721,13 @@ retry:
 
 	if (msg.msg_flags & MSG_CTRUNC) {
 		void *tmp;
+
+		if (msg.msg_controllen == 0) {
+			retval = -NLE_MSG_TRUNC;
+			NL_DBG(4, "recvmsg(%p): Received unexpected control data", sk);
+			goto abort;
+		}
+
 		msg.msg_controllen *= 2;
 		tmp = realloc(msg.msg_control, msg.msg_controllen);
 		if (!tmp) {
-- 
2.4.3