[RHEL7,COMMIT] ms/netfilter: nfnetlink: correctly validate length of batch messages (take 2)

Submitted by Vasily Averin on Aug. 24, 2020, 9:02 a.m.

Details

Message ID 202008240902.07O92jEs020289@vz7build.vvs.sw.ru
State New
Series "ms/netfilter: nfnetlink: correctly validate length of batch messages (take 2)"
Headers show

Commit Message

Vasily Averin Aug. 24, 2020, 9:02 a.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.6
------>
commit 57932314acbae8fac4f907029f29a15b1497ea10
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Mon Aug 24 12:02:45 2020 +0300

    ms/netfilter: nfnetlink: correctly validate length of batch messages (take 2)
    
    We did backport of the upstream commit c58d6c93680f
      ("netfilter: nfnetlink: correctly validate length of batch messages")
    a while ago in scope of https://jira.sw.ru/browse/PSBM-57511.
    Our backport is commit defecd27dbb0
      ("ms/netfilter: nfnetlink: correctly validate length of batch messages")
    
    However the backport was incomplete, hence we can observe:
       skbuff: skb_over_panic: text:ffffffffb0b5ea8a len:-48 put:-48 head:ffff880055082c80 data:ffff880055082c80 tail:0xffffffd0 end:0xc0 dev:<NULL>
       ------------[ cut here ]------------
       kernel BUG at net/core/skbuff.c:131!
    
    Backport the missing part to finally fix this.
    
    https://jira.sw.ru/browse/PSBM-106395
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 net/netfilter/nfnetlink.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index a48f185..e22f84b 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -331,8 +331,9 @@  replay:
 		if (nlh->nlmsg_len < NLMSG_HDRLEN ||
 		    skb->len < nlh->nlmsg_len ||
 		    nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
-			err = -EINVAL;
-			goto ack;
+			nfnl_err_reset(&err_list);
+			status |= NFNL_BATCH_FAILURE;
+			goto done;
 		}
 
 		/* Only requests are handled by the kernel */