From: Thomas Graf <tgraf@suug.ch>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org
Subject: [PATCH 2/9] [NETLINK]: Convert core netlink handling to new netlink api
Date: Sat, 05 Aug 2006 00:00:02 +0200 [thread overview]
Message-ID: <20060805003535.811223323@postel.suug.ch> (raw)
In-Reply-To: 20060805003452.493542515@postel.suug.ch
[-- Attachment #1: nl_af --]
[-- Type: text/plain, Size: 3473 bytes --]
Fixes a theoretical memory and locking leak when the size of
the netlink header would exceed the skb tailroom.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Index: net-2.6.19/net/netlink/af_netlink.c
===================================================================
--- net-2.6.19.orig/net/netlink/af_netlink.c
+++ net-2.6.19/net/netlink/af_netlink.c
@@ -1147,7 +1147,7 @@ static int netlink_sendmsg(struct kiocb
if (len > sk->sk_sndbuf - 32)
goto out;
err = -ENOBUFS;
- skb = alloc_skb(len, GFP_KERNEL);
+ skb = nlmsg_new(len, GFP_KERNEL);
if (skb==NULL)
goto out;
@@ -1342,19 +1342,18 @@ static int netlink_dump(struct sock *sk)
struct netlink_callback *cb;
struct sk_buff *skb;
struct nlmsghdr *nlh;
- int len;
+ int len, err = -ENOBUFS;
skb = sock_rmalloc(sk, NLMSG_GOODSIZE, 0, GFP_KERNEL);
if (!skb)
- return -ENOBUFS;
+ goto errout;
spin_lock(&nlk->cb_lock);
cb = nlk->cb;
if (cb == NULL) {
- spin_unlock(&nlk->cb_lock);
- kfree_skb(skb);
- return -EINVAL;
+ err = -EINVAL;
+ goto errout_skb;
}
len = cb->dump(skb, cb);
@@ -1366,8 +1365,12 @@ static int netlink_dump(struct sock *sk)
return 0;
}
- nlh = NLMSG_NEW_ANSWER(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
- memcpy(NLMSG_DATA(nlh), &len, sizeof(len));
+ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+ if (!nlh)
+ goto errout_skb;
+
+ memcpy(nlmsg_data(nlh), &len, sizeof(len));
+
skb_queue_tail(&sk->sk_receive_queue, skb);
sk->sk_data_ready(sk, skb->len);
@@ -1379,8 +1382,11 @@ static int netlink_dump(struct sock *sk)
netlink_destroy_callback(cb);
return 0;
-nlmsg_failure:
- return -ENOBUFS;
+errout_skb:
+ spin_unlock(&nlk->cb_lock);
+ kfree_skb(skb);
+errout:
+ return err;
}
int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
@@ -1432,11 +1438,11 @@ void netlink_ack(struct sk_buff *in_skb,
int size;
if (err == 0)
- size = NLMSG_SPACE(sizeof(struct nlmsgerr));
+ size = nlmsg_total_size(sizeof(*errmsg));
else
- size = NLMSG_SPACE(4 + NLMSG_ALIGN(nlh->nlmsg_len));
+ size = nlmsg_total_size(sizeof(*errmsg) + nlmsg_len(nlh));
- skb = alloc_skb(size, GFP_KERNEL);
+ skb = nlmsg_new(size, GFP_KERNEL);
if (!skb) {
struct sock *sk;
@@ -1452,16 +1458,15 @@ void netlink_ack(struct sk_buff *in_skb,
rep = __nlmsg_put(skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq,
NLMSG_ERROR, sizeof(struct nlmsgerr), 0);
- errmsg = NLMSG_DATA(rep);
+ errmsg = nlmsg_data(rep);
errmsg->error = err;
- memcpy(&errmsg->msg, nlh, err ? nlh->nlmsg_len : sizeof(struct nlmsghdr));
+ memcpy(&errmsg->msg, nlh, err ? nlh->nlmsg_len : sizeof(*nlh));
netlink_unicast(in_skb->sk, skb, NETLINK_CB(in_skb).pid, MSG_DONTWAIT);
}
static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
struct nlmsghdr *, int *))
{
- unsigned int total_len;
struct nlmsghdr *nlh;
int err;
@@ -1471,8 +1476,6 @@ static int netlink_rcv_skb(struct sk_buf
if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
return 0;
- total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);
-
if (cb(skb, nlh, &err) < 0) {
/* Not an error, but we have to interrupt processing
* here. Note: that in this case we do not pull
@@ -1484,7 +1487,7 @@ static int netlink_rcv_skb(struct sk_buf
} else if (nlh->nlmsg_flags & NLM_F_ACK)
netlink_ack(skb, nlh, 0);
- skb_pull(skb, total_len);
+ netlink_queue_skip(nlh, skb);
}
return 0;
next prev parent reply other threads:[~2006-08-05 0:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-05 0:34 [PATCHSET] Begin of transformations to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 1/9] [NETLINK]: Extend netlink messaging interface Thomas Graf
2006-08-04 22:00 ` Thomas Graf [this message]
2006-08-04 22:00 ` [PATCH 3/9] [IPV4]: Convert address addition to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 4/9] [IPV4]: Convert address deletion " Thomas Graf
2006-08-04 22:00 ` [PATCH 5/9] [IPV4]: Convert address dumping " Thomas Graf
2006-08-04 22:00 ` [PATCH 6/9] [IPv4]: Move interface address bits to linux/if_addr.h Thomas Graf
2006-08-04 22:00 ` [PATCH 7/9] [NET]: Convert link modification to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 8/9] [NET]: Convert link dumping " Thomas Graf
2006-08-04 22:00 ` [PATCH 9/9] [NET]: Move netlink interface bits to linux/if.h Thomas Graf
2006-08-06 5:42 ` Stephen Hemminger
2006-08-05 6:23 ` David Miller
2006-08-07 17:57 ` Stephen Hemminger
2006-08-05 6:21 ` [PATCHSET] Begin of transformations to new netlink api David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060805003535.811223323@postel.suug.ch \
--to=tgraf@suug.ch \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).