From 2976065935bb56551132859b7f020b98f481bc6d Mon Sep 17 00:00:00 2001
From: Motomu Utsumi <motomuman@google.com>
Date: Wed, 10 May 2023 17:47:28 +0900
Subject: [PATCH] Add message length check in parseNetlinkErrorMessage

Address review comment on aosp/2501578

Bug: 280553055
Test: TH, atest CtsNetTestCases
Change-Id: I945afc3dcc33dc85de6b00742fcf54e9c1901585
---
 .../android/net/module/util/netlink/NetlinkUtils.java    | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/staticlibs/device/com/android/net/module/util/netlink/NetlinkUtils.java b/staticlibs/device/com/android/net/module/util/netlink/NetlinkUtils.java
index 308ea240ef..b512a9598b 100644
--- a/staticlibs/device/com/android/net/module/util/netlink/NetlinkUtils.java
+++ b/staticlibs/device/com/android/net/module/util/netlink/NetlinkUtils.java
@@ -93,6 +93,15 @@ public class NetlinkUtils {
         if (nlmsghdr == null || nlmsghdr.nlmsg_type != NetlinkConstants.NLMSG_ERROR) {
             return null;
         }
+
+        final int messageLength = NetlinkConstants.alignedLengthOf(nlmsghdr.nlmsg_len);
+        final int payloadLength = messageLength - StructNlMsgHdr.STRUCT_SIZE;
+        if (payloadLength < 0 || payloadLength > bytes.remaining()) {
+            // Malformed message or runt buffer.  Pretend the buffer was consumed.
+            bytes.position(bytes.limit());
+            return null;
+        }
+
         return NetlinkErrorMessage.parse(nlmsghdr, bytes);
     }