sd-rtnl: fix off-by-one

[elogind.git] / src / libsystemd / sd-rtnl / rtnl-message.c

diff --git a/src/libsystemd/sd-rtnl/rtnl-message.c b/src/libsystemd/sd-rtnl/rtnl-message.c
index 4c746f9d8afe9294233af1777f572b3145d62413..4ace94ce18465f16e57d97ca0815ab4b8266e4b4 100644 (file)
--- a/src/libsystemd/sd-rtnl/rtnl-message.c
+++ b/src/libsystemd/sd-rtnl/rtnl-message.c
@@ -911,19 +911,20 @@ int rtnl_message_parse(sd_rtnl_message *m,
         unsigned short type;
         size_t *tb;
 
-        tb = (size_t *) new0(size_t *, max);
+        tb = new0(size_t, max + 1);
         if(!tb)
                 return -ENOMEM;
 
-        *rta_tb_size = max;
+        *rta_tb_size = max + 1;
 
         for (; RTA_OK(rta, rt_len); rta = RTA_NEXT(rta, rt_len)) {
                 type = rta->rta_type;
 
-                if (type > max) {
-                        log_debug("rtnl: message parse - ignore out of range attribute type");
+                /* if the kernel is newer than the headers we used
+                   when building, we ignore out-of-range attributes
+                 */
+                if (type > max)
                         continue;
-                }
 
                 if (tb[type])
                         log_debug("rtnl: message parse - overwriting repeated attribute");
@@ -1084,7 +1085,8 @@ int sd_rtnl_message_rewind(sd_rtnl_message *m) {
                                        &m->rta_offset_tb[m->n_containers],
                                        &m->rta_tb_size[m->n_containers],
                                        type_system->max,
-                                       (char*)NLMSG_DATA(m->hdr) + NLMSG_ALIGN(type->size),
+                                       (struct rtattr*)((uint8_t*)NLMSG_DATA(m->hdr) +
+                                                        NLMSG_ALIGN(type->size)),
                                        NLMSG_PAYLOAD(m->hdr, type->size));
                 if (r < 0)
                         return r;