diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-02-04 05:13:57 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-02-05 02:51:19 -0500 |
| commit | ad2ad0f96546d6d56b2665bcc863c33ae57c49c4 (patch) | |
| tree | 9c5f6357bd7a0ecb4748acfaf19a04ea3149707b /net | |
| parent | c2db292438c20c3f13db6e5563e0ce5b449bedac (diff) | |
[NETFILTER]: Fix undersized skb allocation in ipt_ULOG/ebt_ulog/nfnetlink_log
The skb allocated is always of size nlbufsize, even if that is smaller than
the size needed for the current packet.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bridge/netfilter/ebt_ulog.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 20 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_log.c | 18 |
3 files changed, 28 insertions, 18 deletions
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index dbbf9f673b55..802baf755ef4 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
| @@ -98,12 +98,14 @@ static void ulog_timer(unsigned long data) | |||
| 98 | static struct sk_buff *ulog_alloc_skb(unsigned int size) | 98 | static struct sk_buff *ulog_alloc_skb(unsigned int size) |
| 99 | { | 99 | { |
| 100 | struct sk_buff *skb; | 100 | struct sk_buff *skb; |
| 101 | unsigned int n; | ||
| 101 | 102 | ||
| 102 | skb = alloc_skb(nlbufsiz, GFP_ATOMIC); | 103 | n = max(size, nlbufsiz); |
| 104 | skb = alloc_skb(n, GFP_ATOMIC); | ||
| 103 | if (!skb) { | 105 | if (!skb) { |
| 104 | PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " | 106 | PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " |
| 105 | "of size %ub!\n", nlbufsiz); | 107 | "of size %ub!\n", n); |
| 106 | if (size < nlbufsiz) { | 108 | if (n > size) { |
| 107 | /* try to allocate only as much as we need for | 109 | /* try to allocate only as much as we need for |
| 108 | * current packet */ | 110 | * current packet */ |
| 109 | skb = alloc_skb(size, GFP_ATOMIC); | 111 | skb = alloc_skb(size, GFP_ATOMIC); |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 2fe64133bba3..180a9ea57b69 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
| @@ -147,22 +147,26 @@ static void ulog_timer(unsigned long data) | |||
| 147 | static struct sk_buff *ulog_alloc_skb(unsigned int size) | 147 | static struct sk_buff *ulog_alloc_skb(unsigned int size) |
| 148 | { | 148 | { |
| 149 | struct sk_buff *skb; | 149 | struct sk_buff *skb; |
| 150 | unsigned int n; | ||
| 150 | 151 | ||
| 151 | /* alloc skb which should be big enough for a whole | 152 | /* alloc skb which should be big enough for a whole |
| 152 | * multipart message. WARNING: has to be <= 131000 | 153 | * multipart message. WARNING: has to be <= 131000 |
| 153 | * due to slab allocator restrictions */ | 154 | * due to slab allocator restrictions */ |
| 154 | 155 | ||
| 155 | skb = alloc_skb(nlbufsiz, GFP_ATOMIC); | 156 | n = max(size, nlbufsiz); |
| 157 | skb = alloc_skb(n, GFP_ATOMIC); | ||
| 156 | if (!skb) { | 158 | if (!skb) { |
| 157 | PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", | 159 | PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n); |
| 158 | nlbufsiz); | ||
| 159 | 160 | ||
| 160 | /* try to allocate only as much as we need for | 161 | if (n > size) { |
| 161 | * current packet */ | 162 | /* try to allocate only as much as we need for |
| 163 | * current packet */ | ||
| 162 | 164 | ||
| 163 | skb = alloc_skb(size, GFP_ATOMIC); | 165 | skb = alloc_skb(size, GFP_ATOMIC); |
| 164 | if (!skb) | 166 | if (!skb) |
| 165 | PRINTR("ipt_ULOG: can't even allocate %ub\n", size); | 167 | PRINTR("ipt_ULOG: can't even allocate %ub\n", |
| 168 | size); | ||
| 169 | } | ||
| 166 | } | 170 | } |
| 167 | 171 | ||
| 168 | return skb; | 172 | return skb; |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 50787af86d7d..3b3c781b40c0 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
| @@ -314,24 +314,28 @@ static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, | |||
| 314 | unsigned int pkt_size) | 314 | unsigned int pkt_size) |
| 315 | { | 315 | { |
| 316 | struct sk_buff *skb; | 316 | struct sk_buff *skb; |
| 317 | unsigned int n; | ||
| 317 | 318 | ||
| 318 | UDEBUG("entered (%u, %u)\n", inst_size, pkt_size); | 319 | UDEBUG("entered (%u, %u)\n", inst_size, pkt_size); |
| 319 | 320 | ||
| 320 | /* alloc skb which should be big enough for a whole multipart | 321 | /* alloc skb which should be big enough for a whole multipart |
| 321 | * message. WARNING: has to be <= 128k due to slab restrictions */ | 322 | * message. WARNING: has to be <= 128k due to slab restrictions */ |
| 322 | 323 | ||
| 323 | skb = alloc_skb(inst_size, GFP_ATOMIC); | 324 | n = max(inst_size, pkt_size); |
| 325 | skb = alloc_skb(n, GFP_ATOMIC); | ||
| 324 | if (!skb) { | 326 | if (!skb) { |
| 325 | PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n", | 327 | PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n", |
| 326 | inst_size); | 328 | inst_size); |
| 327 | 329 | ||
| 328 | /* try to allocate only as much as we need for current | 330 | if (n > pkt_size) { |
| 329 | * packet */ | 331 | /* try to allocate only as much as we need for current |
| 332 | * packet */ | ||
| 330 | 333 | ||
| 331 | skb = alloc_skb(pkt_size, GFP_ATOMIC); | 334 | skb = alloc_skb(pkt_size, GFP_ATOMIC); |
| 332 | if (!skb) | 335 | if (!skb) |
| 333 | PRINTR("nfnetlink_log: can't even alloc %u bytes\n", | 336 | PRINTR("nfnetlink_log: can't even alloc %u " |
| 334 | pkt_size); | 337 | "bytes\n", pkt_size); |
| 338 | } | ||
| 335 | } | 339 | } |
| 336 | 340 | ||
| 337 | return skb; | 341 | return skb; |