From: Chris Wright <chrisw@sous-sol.org>
Date: Tue, 7 Mar 2006 23:13:38 +0000 (-0800)
Subject: Netfilter ip_queue fix wrong skb->len == nlmsg_len assumption, fwd from DaveM
X-Git-Tag: v2.6.16.1~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=880c8c2b6d7c2d096c42c8b37d2c756fdf512087;p=thirdparty%2Fkernel%2Fstable-queue.git

Netfilter ip_queue fix wrong skb->len == nlmsg_len assumption, fwd from DaveM
---

diff --git a/queue/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch b/queue/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch
new file mode 100644
index 00000000000..3f0860beb73
--- /dev/null
+++ b/queue/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch
@@ -0,0 +1,46 @@
+From stable-bounces@linux.kernel.org  Tue Mar  7 15:04:47 2006
+Date: Tue, 07 Mar 2006 14:59:23 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc: 
+Subject: [PATCH] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
+
+The size of the skb carrying the netlink message is not
+equivalent to the length of the actual netlink message
+due to padding. ip_queue matches the length of the payload
+against the original packet size to determine if packet
+mangling is desired, due to the above wrong assumption
+arbitary packets may not be mangled depening on their
+original size.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/netfilter/ip_queue.c  |    2 +-
+ net/ipv6/netfilter/ip6_queue.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c
++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c
+@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ 	write_unlock_bh(&queue_lock);
+ 	
+ 	status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+-	                          skblen - NLMSG_LENGTH(0));
++	                          nlmsglen - NLMSG_LENGTH(0));
+ 	if (status < 0)
+ 		RCV_SKB_FAIL(status);
+ 		
+--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c
+@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ 	write_unlock_bh(&queue_lock);
+ 	
+ 	status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+-	                          skblen - NLMSG_LENGTH(0));
++	                          nlmsglen - NLMSG_LENGTH(0));
+ 	if (status < 0)
+ 		RCV_SKB_FAIL(status);
+ 		
diff --git a/queue/series b/queue/series
index 2a0d4af32f1..51a0849cb9f 100644
--- a/queue/series
+++ b/queue/series
@@ -1 +1,2 @@
 ib-srp-don-t-send-task-management-commands-after-target-removal.patch
+netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch