* Re: [PATCH 0/1] netfilter: nfnetlink_queue: fix missing padding in NFQA_PAYLOAD attribute
[not found] <CAC-THR9QmgG9Vnhjw0YQUE=YSZ8GuPi7HbSKW_YA1FnUkDzQOA@mail.gmail.com>
@ 2026-04-23 11:49 ` Pablo Neira Ayuso
2026-04-23 19:22 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-23 11:49 UTC (permalink / raw)
To: Ramesh Adhikari; +Cc: netfilter-devel
On Thu, Apr 23, 2026 at 04:54:35PM +0530, Ramesh Adhikari wrote:
> IMPACT:
> Correctness issue - violates netlink protocol. Could cause userspace
> parsers to misparse or crash if they don't check message boundaries.
I see no issue at all here.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH 0/1] netfilter: nfnetlink_queue: fix missing padding in NFQA_PAYLOAD attribute
2026-04-23 11:49 ` [PATCH 0/1] netfilter: nfnetlink_queue: fix missing padding in NFQA_PAYLOAD attribute Pablo Neira Ayuso
@ 2026-04-23 19:22 ` Florian Westphal
0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2026-04-23 19:22 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Ramesh Adhikari, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Apr 23, 2026 at 04:54:35PM +0530, Ramesh Adhikari wrote:
> > IMPACT:
> > Correctness issue - violates netlink protocol. Could cause userspace
> > parsers to misparse or crash if they don't check message boundaries.
>
> I see no issue at all here.
Me neither. Userspace parsers cannot call 'nla_next()' unconditionally
as they might be looking at the last attribute.
NFQA_PAYLOAD is always the last attribute in the nfqueue message, due
to skb_zerocopy trick. Existing code is correct, and nla_len must be
the exact size: its end also is the end of the buffer/message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 0/1] netfilter: nfnetlink_queue: fix missing padding in NFQA_PAYLOAD attribute
@ 2026-04-23 11:29 Ramesh Adhikari
0 siblings, 0 replies; 3+ messages in thread
From: Ramesh Adhikari @ 2026-04-23 11:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo
Hi Netfilter developers,
I found a netlink attribute construction bug in nfnetlink_queue similar
to the one recently fixed in nfnetlink_log (commit 52025ebaa29).
ISSUE:
In net/netfilter/nfnetlink_queue.c lines 894-899, the NFQA_PAYLOAD
attribute is manually constructed without allocating padding bytes:
nla = skb_put(skb, sizeof(*nla));
nla->nla_type = NFQA_PAYLOAD;
nla->nla_len = nla_attr_size(data_len);
if (skb_zerocopy(skb, entskb, data_len, hlen))
goto nla_put_failure;
This allocates only (4 + data_len) bytes. For data_len=5, this is 9 bytes.
However, nla_next() expects padding:
totlen = NLA_ALIGN(nla->nla_len); // NLA_ALIGN(9) = 12
The netlink message is 3 bytes short of what the parser expects.
PROOF:
With copy_range=5, captured netlink messages are 73 bytes (should be 76).
The message ends immediately after the 5th data byte with no padding.
FIX:
Replace manual construction with __nla_reserve(), like all other
attributes in the file:
nla = __nla_reserve(skb, NFQA_PAYLOAD, data_len);
if (!nla)
goto nla_put_failure;
if (skb_zerocopy(skb, entskb, data_len, hlen))
goto nla_put_failure;
IMPACT:
Correctness issue - violates netlink protocol. Could cause userspace
parsers to misparse or crash if they don't check message boundaries.
I can submit a formal patch if needed.
Best regards,
Ramesh Adhikari
Security Researcher
https://iotsec.in
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-23 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAC-THR9QmgG9Vnhjw0YQUE=YSZ8GuPi7HbSKW_YA1FnUkDzQOA@mail.gmail.com>
2026-04-23 11:49 ` [PATCH 0/1] netfilter: nfnetlink_queue: fix missing padding in NFQA_PAYLOAD attribute Pablo Neira Ayuso
2026-04-23 19:22 ` Florian Westphal
2026-04-23 11:29 Ramesh Adhikari
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.