aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2017-11-07 20:17:40 +0900
committerJason A. Donenfeld <Jason@zx2c4.com>2017-11-07 20:17:40 +0900
commitdf4185068054459301670646543099a650ada038 (patch)
treed135fb47909921c3bd81628887951d40c669a5e0
parentMerge branch 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq (diff)
downloadlinux-dev-jd/netlink-dump-size.tar.xz
linux-dev-jd/netlink-dump-size.zip
af_netlink: give correct bounds to dump skb for NLMSG_DONEjd/netlink-dump-size
The way people generally use netlink_dump is that they fill in the skb as much as possible, breaking when nla_put returns an error. Then, they get called again and start filling out the next skb, and again, and so forth. The mechanism at work here is the ability for the iterative dumping function to detect when the skb is filled up and not fill it past the brim, waiting for a fresh skb for the rest of the data. However, if the attributes are small and nicely packed, it is possible that a dump callback function successfully fills in attributes until the skb is of size 4080 (libmnl's default page-sized receive buffer size). The dump function completes, satisfied, and then, if it happens to be that this is actually the last skb, and no further ones are to be sent, then netlink_dump will add on the NLMSG_DONE part: nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI); It is very important that netlink_dump does this, of course. However, in this example, that call to nlmsg_put_answer will fail, because the previous filling by the dump function did not leave it enough room. And how could it possibly have done so? All of the nla_put variety of functions simply check to see if the skb has enough tailroom, independent of the context it is in. In order to keep the important assumptions of all netlink dump users, it is therefore important to give them an skb that has this end part of the tail already reserved, so that the call to nlmsg_put_answer does not fail. Otherwise, library authors are forced to find some bizarre sized receive buffer that has a large modulo relative to the common sizes of messages received, which is ugly and buggy. This patch thus reserves and restores the required length for NLMSG_DONE during the call to the dump function. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r--net/netlink/af_netlink.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b93148e8e9fb..b2d0a2fb1939 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2183,7 +2183,9 @@ static int netlink_dump(struct sock *sk)
skb_reserve(skb, skb_tailroom(skb) - alloc_size);
netlink_skb_set_owner_r(skb, sk);
+ skb->end -= nlmsg_total_size(sizeof(len));
len = cb->dump(skb, cb);
+ skb->end += nlmsg_total_size(sizeof(len));
if (len > 0) {
mutex_unlock(nlk->cb_mutex);