From patchwork Mon Sep 24 13:03:09 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 186396
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id EEBA72C0087
	for <incoming@patchwork.ozlabs.org>;
	Mon, 24 Sep 2012 23:04:41 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753879Ab2IXNEk (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 24 Sep 2012 09:04:40 -0400
Received: from mail.us.es ([193.147.175.20]:53662 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753607Ab2IXNEj (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Mon, 24 Sep 2012 09:04:39 -0400
Received: (qmail 1663 invoked from network); 24 Sep 2012 15:04:37 +0200
Received: from unknown (HELO us.es) (192.168.2.13)
	by us.es with SMTP; 24 Sep 2012 15:04:37 +0200
Received: (qmail 1499 invoked by uid 507); 24 Sep 2012 13:04:37 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus3 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.97.5/15395. spamassassin: 3.3.2.  
	Clear:RC:1(127.0.0.1):SA:0(-97.0/7.5):.
	Processed in 5.319772 secs); 24 Sep 2012 13:04:37 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus3
X-Spam-Level: 
X-Spam-Status: No, score=-97.0 required=7.5 tests=BAYES_50,
	RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,
	USER_IN_WHITELIST autolearn=disabled version=3.3.2
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus3) (127.0.0.1)
	by us.es with SMTP; 24 Sep 2012 13:04:32 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus3 (F-Secure/fsigk_smtp/407/antivirus3);
	Mon, 24 Sep 2012 15:04:32 +0200 (CEST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus3)
Received: (qmail 5585 invoked from network); 24 Sep 2012 15:04:32 +0200
Received: from 105.110.221.87.dynamic.jazztel.es (HELO
	localhost.localdomain) (pneira@us.es@87.221.110.105)
	by us.es with SMTP; 24 Sep 2012 15:04:32 +0200
From: pablo@netfilter.org
To: netfilter-devel@vger.kernel.org
Subject: [PATCH 1/2] netfilter: nfnetlink_queue: fix maximum packet length
	to userspace
Date: Mon, 24 Sep 2012 15:03:09 +0200
Message-Id: <1348491790-10276-2-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1348491790-10276-1-git-send-email-pablo@netfilter.org>
References: <1348491790-10276-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Pablo Neira Ayuso <pablo@netfilter.org>

The packets that we send via NFQUEUE are encapsulated in the NFQA_PAYLOAD
attribute. The length of the packet in userspace is obtained via
attr->nla_len field. This field contains the size of the Netlink
attribute header plus the packet length.

If the maximum packet length is specified, ie. 65535 bytes, and
packets in the range of (65531,65535] are sent to userspace, the
attr->nla_len overflows and it reports bogus lengths to the
application.

To fix this, this patch limits the maximum packet length to 65531
bytes. If larger packet length is specified, the packet that we
send to user-space is truncated to 65531 bytes.

To support 65535 bytes packets, we have to revisit the idea of
the 32-bits Netlink attribute length.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_queue_core.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 43de3a0..3e4ddcb7 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -526,9 +526,13 @@ nfqnl_set_mode(struct nfqnl_instance *queue,
 
 	case NFQNL_COPY_PACKET:
 		queue->copy_mode = mode;
-		/* we're using struct nlattr which has 16bit nla_len */
-		if (range > 0xffff)
-			queue->copy_range = 0xffff;
+		/* We're using struct nlattr which has 16bit nla_len. Note that
+		 * nla_len includes the header length. Thus, the maximum packet
+		 * length that we support is 65531 bytes. We send truncated
+		 * packets if the specified length is larger than that.
+		 */
+		if (range > 0xffff - NLA_HDRLEN)
+			queue->copy_range = 0xffff - NLA_HDRLEN;
 		else
 			queue->copy_range = range;
 		break;