[Bug 780] New: nfnl_handle_packet() doesn't respect NLMSG_DONE

Wed Mar 28 22:28:36 CEST 2012

http://bugzilla.netfilter.org/show_bug.cgi?id=780

           Summary: nfnl_handle_packet() doesn't respect NLMSG_DONE
           Product: libnfnetlink
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: libnfnetlink
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: dafranke at akamai.com
   Estimated Hours: 0.0

Created attachment 382
  --> http://bugzilla.netfilter.org/attachment.cgi?id=382
Proposed patch

Datagrams sent across a netlink socket from kernel to userspace can contain
trailing garbage of arbitrary length. Userspace is expected to cope with this
by checking for messages of type NLMSG_DONE and doing no further parsing of the
datagram after encountering one. nfnl_handle_packet() doesn't currently do this
check. As a result, if the length of the trailing garbage is greater than or
equal to NLMSG_SPACE(0) (i.e. NLMSG_ALIGNTO), it tries to parse the garbage as
though it were an additional message. Theoretically, this results in undefined
behavior, since that garbage might be interpretable as a valid message. In
practice, some sanity check fails and nfnl_handle_packet() returns -1.

Attached is a patch which rewrites nfnl_handle_packet() to parse datagrams in
the idiom recommended by the netlink(7) manpage, including correctly handling
NLMSG_DONE.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.