Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad2ad0f9 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: Fix undersized skb allocation in ipt_ULOG/ebt_ulog/nfnetlink_log 



The skb allocated is always of size nlbufsize, even if that is smaller than
the size needed for the current packet.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c2db2924

net/bridge/netfilter/ebt_ulog.c

+5 −3
Original line number Diff line number Diff line
@@ -98,12 +98,14 @@ static void ulog_timer(unsigned long data) 
static struct sk_buff *ulog_alloc_skb(unsigned int size)

{

	struct sk_buff *skb;

	unsigned int n;



	skb = alloc_skb(nlbufsiz, GFP_ATOMIC);

	n = max(size, nlbufsiz);

	skb = alloc_skb(n, GFP_ATOMIC);

	if (!skb) {

		PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "

		       "of size %ub!\n", nlbufsiz);

		if (size < nlbufsiz) {

		       "of size %ub!\n", n);

		if (n > size) {

			/* try to allocate only as much as we need for

			 * current packet */

			skb = alloc_skb(size, GFP_ATOMIC);

net/ipv4/netfilter/ipt_ULOG.c

+12 −8
Original line number Diff line number Diff line
@@ -147,22 +147,26 @@ static void ulog_timer(unsigned long data) 
static struct sk_buff *ulog_alloc_skb(unsigned int size)

{

	struct sk_buff *skb;

	unsigned int n;



	/* alloc skb which should be big enough for a whole

	 * multipart message. WARNING: has to be <= 131000

	 * due to slab allocator restrictions */



	skb = alloc_skb(nlbufsiz, GFP_ATOMIC);

	n = max(size, nlbufsiz);

	skb = alloc_skb(n, GFP_ATOMIC);

	if (!skb) {

		PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n",

			nlbufsiz);

		PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n);



		if (n > size) {

			/* try to allocate only as much as we need for 

			 * current packet */



			skb = alloc_skb(size, GFP_ATOMIC);

			if (!skb)

			PRINTR("ipt_ULOG: can't even allocate %ub\n", size);

				PRINTR("ipt_ULOG: can't even allocate %ub\n",

				       size);

		}

	}



	return skb;

net/netfilter/nfnetlink_log.c

+11 −7
Original line number Diff line number Diff line
@@ -314,24 +314,28 @@ static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, 
					unsigned int pkt_size)

{

	struct sk_buff *skb;

	unsigned int n;



	UDEBUG("entered (%u, %u)\n", inst_size, pkt_size);



	/* alloc skb which should be big enough for a whole multipart

	 * message.  WARNING: has to be <= 128k due to slab restrictions */



	skb = alloc_skb(inst_size, GFP_ATOMIC);

	n = max(inst_size, pkt_size);

	skb = alloc_skb(n, GFP_ATOMIC);

	if (!skb) {

		PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",

			inst_size);



		if (n > pkt_size) {

			/* try to allocate only as much as we need for current

			 * packet */



			skb = alloc_skb(pkt_size, GFP_ATOMIC);

			if (!skb)

			PRINTR("nfnetlink_log: can't even alloc %u bytes\n",

				pkt_size);

				PRINTR("nfnetlink_log: can't even alloc %u "

				       "bytes\n", pkt_size);

		}

	}



	return skb;