linux/net/ipv4
Arnaud Ebalard 9a732ed6d0 netfilter: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets
While reinjecting *bigger* modified versions of IPv6 packets using
libnetfilter_queue, things work fine on a 2.6.24 kernel (2.6.22 too)
but I get the following on recents kernels (2.6.25, trace below is
against today's net-2.6 git tree):

skb_over_panic: text:c04fddb0 len:696 put:632 head:f7592c00 data:f7592c00 tail:0xf7592eb8 end:0xf7592e80 dev:eth0
------------[ cut here ]------------
invalid opcode: 0000 [#1] PREEMPT 
Process sendd (pid: 3657, ti=f6014000 task=f77c31d0 task.ti=f6014000)
Stack: c071e638 c04fddb0 000002b8 00000278 f7592c00 f7592c00 f7592eb8 f7592e80 
       f763c000 f6bc5200 f7592c40 f6015c34 c04cdbfc f6bc5200 00000278 f6015c60 
       c04fddb0 00000020 f72a10c0 f751b420 00000001 0000000a 000002b8 c065582c 
Call Trace:
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04cdbfc>] ? skb_put+0x3c/0x40
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04fd115>] ? nfnetlink_rcv_msg+0xf5/0x160
 [<c04fd03e>] ? nfnetlink_rcv_msg+0x1e/0x160
 [<c04fd020>] ? nfnetlink_rcv_msg+0x0/0x160
 [<c04f8ed7>] ? netlink_rcv_skb+0x77/0xa0
 [<c04fcefc>] ? nfnetlink_rcv+0x1c/0x30
 [<c04f8c73>] ? netlink_unicast+0x243/0x2b0
 [<c04cfaba>] ? memcpy_fromiovec+0x4a/0x70
 [<c04f9406>] ? netlink_sendmsg+0x1c6/0x270
 [<c04c8244>] ? sock_sendmsg+0xc4/0xf0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0133a80>] ? autoremove_wake_function+0x0/0x40
 [<c0118f9e>] ? __wake_up_common+0x3e/0x70
 [<c0342fbf>] ? n_tty_receive_buf+0x34f/0x1280
 [<c011d308>] ? __wake_up+0x68/0x70
 [<c02cea47>] ? copy_from_user+0x37/0x70
 [<c04cfd7c>] ? verify_iovec+0x2c/0x90
 [<c04c837a>] ? sys_sendmsg+0x10a/0x230
 [<c011967a>] ? __dequeue_entity+0x2a/0xa0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0345397>] ? pty_write+0x47/0x60
 [<c033d59b>] ? tty_default_put_char+0x1b/0x20
 [<c011d2e9>] ? __wake_up+0x49/0x70
 [<c033df99>] ? tty_ldisc_deref+0x39/0x90
 [<c033ff20>] ? tty_write+0x1a0/0x1b0
 [<c04c93af>] ? sys_socketcall+0x7f/0x260
 [<c0102ff9>] ? sysenter_past_esp+0x6a/0x91
 [<c05f0000>] ? snd_intel8x0m_probe+0x270/0x6e0
 =======================
Code: 00 00 89 5c 24 14 8b 98 9c 00 00 00 89 54 24 0c 89 5c 24 10 8b 40 50 89 4c 24 04 c7 04 24 38 e6 71 c0 89 44 24 08 e8 c4 46 c5 ff <0f> 0b eb fe 55 89 e5 56 89 d6 53 89 c3 83 ec 0c 8b 40 50 39 d0 
EIP: [<c04ccdfc>] skb_over_panic+0x5c/0x60 SS:ESP 0068:f6015bf8


Looking at the code, I ended up in nfq_mangle() function (called by
nfqnl_recv_verdict()) which performs a call to skb_copy_expand() due to
the increased size of data passed to the function. AFAICT, it should ask
for 'diff' instead of 'diff - skb_tailroom(e->skb)'. Because the
resulting sk_buff has not enough space to support the skb_put(skb, diff)
call a few lines later, this results in the call to skb_over_panic().

The patch below asks for allocation of a copy with enough space for
mangled packet and the same amount of headroom as old sk_buff. While
looking at how the regression appeared (e2b58a67), I noticed the same
pattern in ipq_mangle_ipv6() and ipq_mangle_ipv4(). The patch corrects
those locations too.

Tested with bigger reinjected IPv6 packets (nfqnl_mangle() path), things
are ok (2.6.25 and today's net-2.6 git tree).

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-29 03:16:34 -07:00
..
ipvs net: replace remaining __FUNCTION__ occurrences 2008-03-05 20:47:47 -08:00
netfilter netfilter: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets 2008-04-29 03:16:34 -07:00
af_inet.c [IPV4]: Use NIPQUAD_FMT to format ipv4 addresses. 2008-04-14 04:09:00 -07:00
ah4.c [IPSEC]: Fix bogus usage of u64 on input sequence number 2008-02-12 22:50:35 -08:00
arp.c [IPV4]: Use NIPQUAD_FMT to format ipv4 addresses. 2008-04-14 04:09:00 -07:00
cipso_ipv4.c [IPV4]: Remove unused ip_options->is_data. 2008-03-22 16:35:29 -07:00
datagram.c [IPV4] net/ipv4: Use ipv4_is_<type> 2008-01-28 14:58:15 -08:00
devinet.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
esp4.c [ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access 2008-03-27 16:08:03 -07:00
fib_frontend.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
fib_hash.c [NET]: Fix heavy stack usage in seq_file output routines. 2008-04-24 01:02:16 -07:00
fib_lookup.h [IPV4] FIB_HASH: Reduce memory needs and speedup lookups 2008-01-28 15:02:46 -08:00
fib_rules.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
fib_semantics.c [NETNS]: Add netns refcnt debug into fib_info. 2008-04-16 02:00:50 -07:00
fib_trie.c [NET]: Fix heavy stack usage in seq_file output routines. 2008-04-24 01:02:16 -07:00
icmp.c [IPV4]: Convert do_gettimeofday() to getnstimeofday(). 2008-04-21 02:34:08 -07:00
igmp.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
inet_connection_sock.c [SOCK]: Add some notes about per-bind-bucket sock lookup. 2008-04-14 02:42:27 -07:00
inet_diag.c [NETNS]: Tcp-v6 sockets per-net lookup. 2008-01-31 19:28:20 -08:00
inet_fragment.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-02 22:35:23 -07:00
inet_hashtables.c [INET]: Uninline the __inet_inherit_port call. 2008-04-17 23:18:15 -07:00
inet_lro.c [LRO] Fix lro_mgr->features checks 2008-01-08 23:30:18 -08:00
inet_timewait_sock.c [NETNS]: Add netns refcnt debug for timewait buckets. 2008-04-16 02:00:28 -07:00
inetpeer.c [INET]: Use list_head-s in inetpeer.c 2007-11-12 21:27:28 -08:00
ip_forward.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-02 22:35:23 -07:00
ip_fragment.c [IPV4]: Use NIPQUAD_FMT to format ipv4 addresses. 2008-04-14 04:09:00 -07:00
ip_gre.c [GRE]: Allow for IPPROTO_GRE protocol in namespaces. 2008-04-16 01:11:36 -07:00
ip_input.c [IPV4]: Use NIPQUAD_FMT to format ipv4 addresses. 2008-04-14 04:09:00 -07:00
ip_options.c [IPV4]: Convert do_gettimeofday() to getnstimeofday(). 2008-04-21 02:34:08 -07:00
ip_output.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
ip_sockglue.c ipv4/ipv6 compat: Fix SSM applications on 64bit kernels. 2008-04-27 14:26:53 -07:00
ipcomp.c [IPV4]: Use NIPQUAD_FMT to format ipv4 addresses. 2008-04-14 04:09:00 -07:00
ipconfig.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-04-17 23:56:30 -07:00
ipip.c [IPIP]: Allow to create IPIP tunnels in net namespaces. 2008-04-16 01:06:18 -07:00
ipmr.c [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
Kconfig Documentation: move nfsroot.txt to filesystems/ 2008-04-11 13:18:01 -06:00
Makefile [UDP]: Revert udplite and code split. 2008-03-06 16:22:02 -08:00
netfilter.c [NETFILTER]: Add partial checksum validation helper 2008-04-14 11:15:49 +02:00
proc.c [IPV4][NETNS]: Display per-net info in sockstat file. 2008-03-31 19:43:18 -07:00
protocol.c [IPV4]: align inet_protos[] on SMP 2007-04-25 22:28:20 -07:00
raw.c [SOCK][NETNS]: Add a struct net argument to sock_prot_inuse_add and _get. 2008-03-31 19:41:46 -07:00
route.c [NET]: Fix heavy stack usage in seq_file output routines. 2008-04-24 01:02:16 -07:00
syncookies.c [Syncookies]: Add support for TCP options via timestamps. 2008-04-10 03:12:40 -07:00
sysctl_net_ipv4.c [NETNS][ICMP]: Make ctl tables for ICMP sysctls per-net. 2008-03-26 01:56:24 -07:00
tcp_bic.c [TCP]: BIC web page link is corrected. 2008-02-28 22:14:32 -08:00
tcp_cong.c tcp: Limit cwnd growth when deferring for GSO 2008-04-29 03:13:52 -07:00
tcp_cubic.c [TCP]: TCP cubic v2.2 2008-03-04 14:17:41 -08:00
tcp_diag.c [INET]: Let inet_diag and friends autoload 2007-10-22 02:59:54 -07:00
tcp_highspeed.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_htcp.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_hybla.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_illinois.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_input.c tcp: Fix slab corruption with ipv6 and tcp6fuzz 2008-04-27 15:27:30 -07:00
tcp_ipv4.c [NET]: Fix heavy stack usage in seq_file output routines. 2008-04-24 01:02:16 -07:00
tcp_lp.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_minisocks.c [TCP]: TCP_DEFER_ACCEPT updates - process as established 2008-03-21 16:33:01 -07:00
tcp_output.c [TCP]: Remove superflushious skb == write_queue_tail() check 2008-04-15 20:36:55 -07:00
tcp_probe.c tcp: tcp_probe buffer overflow and incorrect return value 2008-04-24 21:11:58 -07:00
tcp_scalable.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_timer.c [TCP]: Format addresses appropriately in debug messages. 2008-04-14 04:09:36 -07:00
tcp_vegas.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_vegas.h [TCP]: congestion control API pass RTT in microseconds 2007-07-31 02:27:57 -07:00
tcp_veno.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_westwood.c [TCP]: congestion control API pass RTT in microseconds 2007-07-31 02:27:57 -07:00
tcp_yeah.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp.c tcp: Trivial fix to correct function name in a comment in net/ipv4/tcp.c 2008-04-21 02:27:58 -07:00
tunnel4.c [SIT]: Allow for IPPROTO_IPV6 protocol in namespaces. 2008-04-16 01:17:39 -07:00
udp_impl.h [UDP]: Make full use of proto.h.udp_hash innovation. 2008-03-22 16:51:21 -07:00
udp.c [NET]: Fix heavy stack usage in seq_file output routines. 2008-04-24 01:02:16 -07:00
udplite.c [UDP]: Remove owner from udp_seq_afinfo. 2008-03-28 18:25:53 -07:00
xfrm4_input.c [IPSEC]: Fix transport-mode async resume on intput without netfilter 2008-01-28 15:00:10 -08:00
xfrm4_mode_beet.c [IPSEC]: Fix BEET output 2008-03-26 16:51:09 -07:00
xfrm4_mode_transport.c [IPSEC]: Use IPv6 calling convention as the convention for x->mode->output 2007-10-10 16:55:54 -07:00
xfrm4_mode_tunnel.c [IPSEC]: Fix inter address family IPsec tunnel handling. 2008-03-24 14:51:51 -07:00
xfrm4_output.c [IPSEC]: Fix inter address family IPsec tunnel handling. 2008-03-24 14:51:51 -07:00
xfrm4_policy.c [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
xfrm4_state.c [IPSEC]: Fix BEET output 2008-03-26 16:51:09 -07:00
xfrm4_tunnel.c [IPCOMP]: Fix reception of incompressible packets 2008-01-31 19:27:24 -08:00