[PATCH 2.6] fix zombie netlink socket in user space

[PATCH 2.6] fix zombie netlink socket in user space

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 343 bytes --]

Hi Davem,

If you try to bind/connect to a non existant netlink socket, client 
socket gets succesfully inserted as head in the socket list. The problem 
is that the head can't be delete, so that socket stays in the list 
forever (see sk_del_node_init).

If I'm missing something, please let me know. I'll submit a 2.4 version

regards,
Pablo

[-- Attachment #2: netlink-fix-zombie.patch --]
[-- Type: text/x-patch, Size: 1117 bytes --]

diff -u -r1.2 af_netlink.c
--- a/net/netlink/af_netlink.c	19 Sep 2004 04:41:12 -0000	1.2
+++ b/net/netlink/af_netlink.c	19 Sep 2004 05:20:51 -0000
@@ -306,6 +306,19 @@
 	return 0;
 }
 
+static inline int netlink_socket_exist(int protocol)
+{
+	/* Wanna bind to an non-existant netlink socket? */
+	netlink_table_grab();
+	if (!sk_head(&nl_table[protocol])) {
+		netlink_table_ungrab();
+		return 0;
+	}
+	netlink_table_ungrab();
+
+	return 1;
+}
+
 static int netlink_autobind(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
@@ -351,6 +364,9 @@
 	if (nladdr->nl_family != AF_NETLINK)
 		return -EINVAL;
 
+        if (!netlink_socket_exist(sk->sk_protocol))
+		return -ENOENT;
+
 	/* Only superuser is allowed to listen multicasts */
 	if (nladdr->nl_groups && !netlink_capable(sock, NL_NONROOT_RECV))
 		return -EPERM;
@@ -392,6 +408,9 @@
 	if (addr->sa_family != AF_NETLINK)
 		return -EINVAL;
 
+        if (!netlink_socket_exist(sk->sk_protocol))
+		return -ENOENT;
+
 	/* Only superuser is allowed to send multicasts */
 	if (nladdr->nl_groups && !netlink_capable(sock, NL_NONROOT_SEND))
 		return -EPERM;

Re: [PATCH 2.6] fix zombie netlink socket in user space

[Herbert Xu]

Pablo Neira <pablo@eurodev.net> wrote:
> 
> If you try to bind/connect to a non existant netlink socket, client 
> socket gets succesfully inserted as head in the socket list. The problem 
> is that the head can't be delete, so that socket stays in the list 
> forever (see sk_del_node_init).

Huh? Where does it say that the head can't be deleted?
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 2.6] fix zombie netlink socket in user space

[Pablo Neira]

Pablo Neira wrote:

> If you try to bind/connect to a non existant netlink socket, client 
> socket gets succesfully inserted as head in the socket list.


BTW oh please, forget this patch...

regards,
Pablo

Re: [PATCH 2.6] fix zombie netlink socket in user space

[jamal]

Theres also a fundamental issue in trying to control bind/connect
behavior with the way this patch tries to "fix" things. Theres at least
one app i know of which depends on this.
Dave, whats acceptable? My thinking is this should probably be
controlled by something like the SE linux path?

cheers,
jamal

On Sun, 2004-09-19 at 04:02, Herbert Xu wrote: 
> Pablo Neira <pablo@eurodev.net> wrote:
> > 
> > If you try to bind/connect to a non existant netlink socket, client 
> > socket gets succesfully inserted as head in the socket list. The problem 
> > is that the head can't be delete, so that socket stays in the list 
> > forever (see sk_del_node_init).
> 
> Huh? Where does it say that the head can't be deleted?