[PATCH] ip/xfrm: Fix deleteall when having many policies installed

[PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Alexander Heinlein]

Fix "Policy buffer overflow" error when trying to use deleteall with
many policies installed.

Signed-off-by: Alexander Heinlein <alexander.heinlein@secunet.com>
---
 ip/xfrm_policy.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index cc9c0f1..451b982 100644
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -732,10 +732,8 @@ static int xfrm_policy_keep(const struct
sockaddr_nl *who,
 	if (!xfrm_policy_filter_match(xpinfo, ptype))
 		return 0;

-	if (xb->offset > xb->size) {
-		fprintf(stderr, "Policy buffer overflow\n");
-		return -1;
-	}
+	if (xb->offset + NLMSG_LENGTH(sizeof(*xpid)) > xb->size)
+		return 0;

 	new_n = (struct nlmsghdr *)(xb->buf + xb->offset);
 	new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xpid));
-- 
2.1.4

Re: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Stephen Hemminger]

On Mon, 16 Jan 2017 15:09:01 +0100
Alexander Heinlein <alexander.heinlein@secunet.com> wrote:

> Fix "Policy buffer overflow" error when trying to use deleteall with
> many policies installed.
> 
> Signed-off-by: Alexander Heinlein <alexander.heinlein@secunet.com>
> ---
>  ip/xfrm_policy.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
> index cc9c0f1..451b982 100644
> --- a/ip/xfrm_policy.c
> +++ b/ip/xfrm_policy.c
> @@ -732,10 +732,8 @@ static int xfrm_policy_keep(const struct
> sockaddr_nl *who,
>  	if (!xfrm_policy_filter_match(xpinfo, ptype))
>  		return 0;
> 
> -	if (xb->offset > xb->size) {
> -		fprintf(stderr, "Policy buffer overflow\n");
> -		return -1;
> -	}
> +	if (xb->offset + NLMSG_LENGTH(sizeof(*xpid)) > xb->size)
> +		return 0;
> 
>  	new_n = (struct nlmsghdr *)(xb->buf + xb->offset);
>  	new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xpid));


What happens when many many policies are installed?
It looks like your patch would silently stop deleting.
Does the the code flush all of them?

Re: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Alexander Heinlein]

On 01/17/2017 05:44 PM, Stephen Hemminger wrote:
> What happens when many many policies are installed?
> It looks like your patch would silently stop deleting.
> Does the the code flush all of them?

Yes, it flushes all of them. xfrm_policy_list_or_deleteall() performs
multiple rounds until there are no more policies left to delete
(xb.nlmsg_count becomes 0).

The previous code failed with
> Policy buffer overflow
> Delete-all terminated
upon reaching the end of the buffer. This already happens for 102
policies on my system.

The new code fills the buffer, sends the corresponding netlink message
and then re-checks for remaining policies to delete.

You can check the old and new behavior via the following commands:
# for((i=0;i<255;++i)); do ip x p a src 0.0.0.$i dst 127.0.0.0/24 dev lo
dir out action allow priority 10000; done
# ip -s -s x p deleteall action allow priority 10000

Regards
Alex

Re: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Stephen Hemminger]

On Mon, 16 Jan 2017 15:09:01 +0100
Alexander Heinlein <alexander.heinlein@secunet.com> wrote:

> Fix "Policy buffer overflow" error when trying to use deleteall with
> many policies installed.
> 
> Signed-off-by: Alexander Heinlein <alexander.heinlein@secunet.com>
> ---
>  ip/xfrm_policy.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
> index cc9c0f1..451b982 100644
> --- a/ip/xfrm_policy.c
> +++ b/ip/xfrm_policy.c
> @@ -732,10 +732,8 @@ static int xfrm_policy_keep(const struct
> sockaddr_nl *who,

Patch is not formatted properly because your mailer is line wrapping

Re: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Alexander Heinlein]

[-- Attachment #1.1: Type: text/plain, Size: 1069 bytes --]

From 192cf19b3a97871a508ad57ba5893d1719877f13 Mon Sep 17 00:00:00 2001
From: Alexander Heinlein <alexander.heinlein@secunet.com>
Date: Mon, 16 Jan 2017 14:48:25 +0100
Subject: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

Fix "Policy buffer overflow" when trying to use deleteall with many
policies installed.

Signed-off-by: Alexander Heinlein <alexander.heinlein@secunet.com>
---
 ip/xfrm_policy.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index cc9c0f1..451b982 100644
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -732,10 +732,8 @@ static int xfrm_policy_keep(const struct sockaddr_nl *who,
 	if (!xfrm_policy_filter_match(xpinfo, ptype))
 		return 0;
 
-	if (xb->offset > xb->size) {
-		fprintf(stderr, "Policy buffer overflow\n");
-		return -1;
-	}
+	if (xb->offset + NLMSG_LENGTH(sizeof(*xpid)) > xb->size)
+		return 0;
 
 	new_n = (struct nlmsghdr *)(xb->buf + xb->offset);
 	new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xpid));
-- 
2.1.4


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] ip/xfrm: Fix deleteall when having many policies installed

[Stephen Hemminger]

On Thu, 19 Jan 2017 08:57:56 +0100
Alexander Heinlein <alexander.heinlein@secunet.com> wrote:

> From 192cf19b3a97871a508ad57ba5893d1719877f13 Mon Sep 17 00:00:00 2001
> From: Alexander Heinlein <alexander.heinlein@secunet.com>
> Date: Mon, 16 Jan 2017 14:48:25 +0100
> Subject: [PATCH] ip/xfrm: Fix deleteall when having many policies installed
> 
> Fix "Policy buffer overflow" when trying to use deleteall with many
> policies installed.
> 
> Signed-off-by: Alexander Heinlein <alexander.heinlein@secunet.com>

Applied thanks.