From patchwork Mon May 7 15:23:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 909812 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40fmmV1jkTz9s3q for ; Tue, 8 May 2018 01:31:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752196AbeEGPbF (ORCPT ); Mon, 7 May 2018 11:31:05 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:47240 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752166AbeEGPbF (ORCPT ); Mon, 7 May 2018 11:31:05 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.89) (envelope-from ) id 1fFi6R-0000RI-HE; Mon, 07 May 2018 17:31:03 +0200 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nf] netfilter: nf_tables_api: set min dump size to 8k Date: Mon, 7 May 2018 17:23:59 +0200 Message-Id: <20180507152359.25950-1-fw@strlen.de> X-Mailer: git-send-email 2.16.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Under rare conditions its possible that nfnetlink dump of nft ruleset will not return any result. Problem occurs when netlink_dump() is invoked for first time, in response to incoming dump request. In that case, netlink socket hasn't recored the size of the userspace buffer yet, as userspace did not yet call recv() yet, so NLMSG_GOODSIZE sized skb is allocated. In extreme case, the first rule to be added is larger than this, which ends the dump (callback returns 0, as skb has no data). The problem won't occur in case a smaller expression was added first, because then dump returns skb with data, which gets placed on sockets receive queue. Next recv() from user allocates skb based on the size of the user buffer, e.g. 16k. I don't like this change at all but i could not find another solution. Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index a2bb31472aa1..975af75e232e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2103,6 +2103,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { + .min_dump_alloc = SKB_WITH_OVERHEAD(8192), .dump = nf_tables_dump_rules, .done = nf_tables_dump_rules_done, };