diff options
author | Patrick McHardy <kaber@trash.net> | 2008-02-19 17:17:52 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-02-19 17:17:52 -0800 |
commit | e2b58a67b91dec07dfb40ca2056c64011ce8489d (patch) | |
tree | 46e258092c2401b9cf6bc232ecfe96248a51982e /net/netfilter | |
parent | 94cb1503c799c0197e7ef5bad606fee5c84b99d8 (diff) | |
download | linux-stable-e2b58a67b91dec07dfb40ca2056c64011ce8489d.tar.gz linux-stable-e2b58a67b91dec07dfb40ca2056c64011ce8489d.tar.bz2 linux-stable-e2b58a67b91dec07dfb40ca2056c64011ce8489d.zip |
[NETFILTER]: {ip,ip6,nfnetlink}_queue: fix SKB_LINEAR_ASSERT when mangling packet data
As reported by Tomas Simonaitis <tomas.simonaitis@gmail.com>,
inserting new data in skbs queued over {ip,ip6,nfnetlink}_queue
triggers a SKB_LINEAR_ASSERT in skb_put().
Going back through the git history, it seems this bug is present since
at least 2.6.12-rc2, probably even since the removal of
skb_linearize() for netfilter.
Linearize non-linear skbs through skb_copy_expand() when enlarging
them. Tested by Thomas, fixes bugzilla #9933.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a48b20fe9cd6..0043d3a9f87e 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -443,8 +443,8 @@ err_out: static int nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e) { + struct sk_buff *nskb; int diff; - int err; diff = data_len - e->skb->len; if (diff < 0) { @@ -454,14 +454,16 @@ nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e) if (data_len > 0xFFFF) return -EINVAL; if (diff > skb_tailroom(e->skb)) { - err = pskb_expand_head(e->skb, 0, + nskb = skb_copy_expand(e->skb, 0, diff - skb_tailroom(e->skb), GFP_ATOMIC); - if (err) { + if (!nskb) { printk(KERN_WARNING "nf_queue: OOM " "in mangle, dropping packet\n"); - return err; + return -ENOMEM; } + kfree_skb(e->skb); + e->skb = nskb; } skb_put(e->skb, diff); } |