netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator

When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
helper only zeroes alignment padding after the payload, not the payload
itself, so four bytes of stale kernel heap data are leaked to userspace
in the NLMSG_DONE message body.

Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
__build_packet_message() already constructs NFULNL_MSG_PACKET headers.

Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index f80978c06fa0a0917cc4638a25c67b2b51c05180..0db908518b2fa2e1ec4ca348af1def639e973ebe 100644 (file)
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -361,10 +361,10 @@ static void
 __nfulnl_send(struct nfulnl_instance *inst)
 {
        if (inst->qlen > 1) {
-               struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
-                                                NLMSG_DONE,
-                                                sizeof(struct nfgenmsg),
-                                                0);
+               struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
+                                                   NLMSG_DONE, 0,
+                                                   AF_UNSPEC, NFNETLINK_V0,
+                                                   htons(inst->group_num));
                if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
                              inst->skb->len, skb_tailroom(inst->skb))) {
                        kfree_skb(inst->skb);