- Reported
-
- Issued
-
- Package
-
mnl
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- Patched
-
Description
The function mnl::cb_run is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.
Passing a crafted byte slice to mnl::cb_run can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.
This vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.
The underlying issue is a bug in libmnl where during validation nlh->nlmsg_len is cast to an int and becomes negative if nlmsg_len is greater than INT_MAX. This causes the validation to succeed even if the buffer is too small for the message. This has been fixed in libmnl but still affects version 1.0.5.
The issue in mnl was fixed in commit cd51bdc by checking the validity of netlink messages passed to mnl::cb_run.
Advisory available under CC0-1.0
license.