--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 7 15:04:47 2006
+Date: Tue, 07 Mar 2006 14:59:23 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: [PATCH] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
+
+The size of the skb carrying the netlink message is not
+equivalent to the length of the actual netlink message
+due to padding. ip_queue matches the length of the payload
+against the original packet size to determine if packet
+mangling is desired, due to the above wrong assumption
+arbitary packets may not be mangled depening on their
+original size.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/netfilter/ip_queue.c | 2 +-
+ net/ipv6/netfilter/ip6_queue.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c
++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c
+@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
+--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c
+@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
