diff options
| author |   Denis V. Lunev <den@openvz.org> | 2007-12-21 02:01:53 -0800 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2007-12-21 02:01:53 -0800 |
| commit | d883a0367149506e8b7a3f31891d1ea30b9377f3 (patch) | |
| tree | d016dc1959372baa50e6d64f76ff14bbe3c8927b /net | |
| parent | [NET]: Fix function put_cmsg() which may cause usr application memory overflow (diff) | |
| download | linux-dev-d883a0367149506e8b7a3f31891d1ea30b9377f3.tar.xz linux-dev-d883a0367149506e8b7a3f31891d1ea30b9377f3.zip | |
[IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socket
[ Regression added by changeset:
cd40b7d3983c708aabe3d3008ec64ffce56d33b0
[NET]: make netlink user -> kernel interface synchronious
-DaveM ]
nl_fib_input re-reuses incoming skb to send the reply. This means that this
packet will be freed twice, namely in:
- netlink_unicast_kernel
- on receive path
Use clone to send as a cure, the caller is responsible for kfree_skb on error.
Thanks to Alexey Dobryan, who originally found the problem.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/fib_frontend.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 732d8f088b13..97abf934d185 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -804,10 +804,13 @@ static void nl_fib_input(struct sk_buff *skb) nlh = nlmsg_hdr(skb); if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len || - nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) { - kfree_skb(skb); + nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) return; - } + + skb = skb_clone(skb, GFP_KERNEL); + if (skb == NULL) + return; + nlh = nlmsg_hdr(skb); frn = (struct fib_result_nl *) NLMSG_DATA(nlh); tb = fib_get_table(frn->tb_id_in); |