[PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR

Netdev List
 help / color / mirror / Atom feed

* [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
@ 2026-06-14  3:49 Xiang Mei
  2026-06-15 13:09 ` Simon Horman
  0 siblings, 1 reply; 2+ messages in thread
From: Xiang Mei @ 2026-06-14  3:49 UTC (permalink / raw)
  To: kuba, netdev
  Cc: davem, yotam.gi, edumazet, pabeni, horms, bestswngs, Xiang Mei

psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
data_len of them.  When data_len is not a multiple of 4 the trailing
alignment padding is left uninitialised, leaking stale slab memory to
every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.

Use nla_reserve(), which lays out the header and zeroes the padding, and
copy the payload into the reserved area with skb_copy_bits().

Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: use nla_reserve to ensure no info leak

 net/psample/psample.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/psample/psample.c b/net/psample/psample.c
index 7763662036fb..6a714a4b4992 100644
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -476,12 +476,11 @@ void psample_sample_packet(struct psample_group *group,
 		goto error;
 
 	if (data_len) {
-		int nla_len = nla_total_size(data_len);
 		struct nlattr *nla;
 
-		nla = skb_put(nl_skb, nla_len);
-		nla->nla_type = PSAMPLE_ATTR_DATA;
-		nla->nla_len = nla_attr_size(data_len);
+		nla = nla_reserve(nl_skb, PSAMPLE_ATTR_DATA, data_len);
+		if (!nla)
+			goto error;
 
 		if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
 			goto error;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
  2026-06-14  3:49 [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA Xiang Mei
@ 2026-06-15 13:09 ` Simon Horman
  0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-06-15 13:09 UTC (permalink / raw)
  To: Xiang Mei; +Cc: kuba, netdev, davem, yotam.gi, edumazet, pabeni, bestswngs

On Sat, Jun 13, 2026 at 08:49:19PM -0700, Xiang Mei wrote:
> psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
> reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
> data_len of them.  When data_len is not a multiple of 4 the trailing
> alignment padding is left uninitialised, leaking stale slab memory to
> every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.
> 
> Use nla_reserve(), which lays out the header and zeroes the padding, and
> copy the payload into the reserved area with skb_copy_bits().
> 
> Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
> v2: use nla_reserve to ensure no info leak

Reviewed-by: Simon Horman <horms@kernel.org>


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-15 13:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-14  3:49 [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA Xiang Mei
2026-06-15 13:09 ` Simon Horman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox