[PATCH net-next v1] rtnetlink: Return error when message too short

[PATCH net-next v1] rtnetlink: Return error when message too short

[Donald Hunter]

rtnetlink_rcv_msg currently returns 0 when the message length is too
short. This leads to either no response at all, or an ack response
if NLM_F_ACK was set in the request.

Change rtnetlink_rcv_msg to return -EINVAL which tells af_netlink to
generate a proper error response.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Donald Hunter <donald.hunter@gmail.com>
---
 net/core/rtnetlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5d8eb57867a9..04b7f184f32e 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -6086,7 +6086,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 	/* All the messages must have at least 1 byte length */
 	if (nlmsg_len(nlh) < sizeof(struct rtgenmsg))
-		return 0;
+		return -EINVAL;
 
 	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
 	kind = rtnl_msgtype_kind(type);
-- 
2.39.0

Re: [PATCH net-next v1] rtnetlink: Return error when message too short

[Jakub Kicinski]

On Mon, 20 Mar 2023 23:18:34 +0000 Donald Hunter wrote:
> rtnetlink_rcv_msg currently returns 0 when the message length is too
> short. This leads to either no response at all, or an ack response
> if NLM_F_ACK was set in the request.
> 
> Change rtnetlink_rcv_msg to return -EINVAL which tells af_netlink to
> generate a proper error response.

It's a touch risky to start returning an error now.
Some application could possibly have been passing an empty netlink
message just because.

We should give the user a heads up (pr_warn_once() with the name+pid
of current process). Or continue returning a 0 but add a warning via 
the extack. The latter is cleaner but will not help old / sloppy apps,
your call.

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

We can't put a Fixes tag on it. It could break uAPI, we don't want 
it backported for sure.

> Signed-off-by: Donald Hunter <donald.hunter@gmail.com>
> ---
>  net/core/rtnetlink.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 5d8eb57867a9..04b7f184f32e 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -6086,7 +6086,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
>  
>  	/* All the messages must have at least 1 byte length */
>  	if (nlmsg_len(nlh) < sizeof(struct rtgenmsg))
> -		return 0;
> +		return -EINVAL;
>  
>  	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
>  	kind = rtnl_msgtype_kind(type);

Re: [PATCH net-next v1] rtnetlink: Return error when message too short

[Donald Hunter]

Jakub Kicinski <kuba@kernel.org> writes:

> On Mon, 20 Mar 2023 23:18:34 +0000 Donald Hunter wrote:
>> rtnetlink_rcv_msg currently returns 0 when the message length is too
>> short. This leads to either no response at all, or an ack response
>> if NLM_F_ACK was set in the request.
>>
>> Change rtnetlink_rcv_msg to return -EINVAL which tells af_netlink to
>> generate a proper error response.
>
> It's a touch risky to start returning an error now.
> Some application could possibly have been passing an empty netlink
> message just because.

It seemed harmless enough to me, but you make a good point.

> We should give the user a heads up (pr_warn_once() with the name+pid
> of current process). Or continue returning a 0 but add a warning via
> the extack. The latter is cleaner but will not help old / sloppy apps,
> your call.

A pr_warn_once() should be enough to help the next person and also to
give visibility of any sloppy apps.

I was considering pr_warn_once() for the nlmsghdr length check in
netlink_rcv_skb since there's nowhere to reply to when the header is
malformed. 

>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>
> We can't put a Fixes tag on it. It could break uAPI, we don't want
> it backported for sure.