shill: RTNL: fixup bounds checking in decoding
The fuzzing framework noticed two heap overruns in RTNL parsing.
For NLMSG_ERROR, we validate that the header fits in our buffer, but we
don't validate that the 'nlmsgerr' does. Fix that.
For DeocdeNdUserOption(), our bounds check isn't big enough; beyond the
first element, we're trusting that the headers contain correct length
values, and we only bounds check against them. Extend the initial bounds
checking to account for all the bits we're expecting to be packed into
TEST=build for x86 with USE="asan fuzzer", then run
Signed-off-by: Brian Norris <firstname.lastname@example.org>
Reviewed-by: Kirtika Ruchandani <email@example.com>
2 files changed