]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
net: psample: fix info leak in PSAMPLE_ATTR_DATA
authorJakub Kicinski <kuba@kernel.org>
Tue, 16 Jun 2026 00:30:46 +0000 (17:30 -0700)
committerJakub Kicinski <kuba@kernel.org>
Wed, 17 Jun 2026 23:35:50 +0000 (16:35 -0700)
psample open codes nla_put() presumably to avoid wiping
the data with 0s just to override it with packet data.
This open coding is missing clearing the pad, however,
each netlink attr is padded to 4B and data_len may
not be divisible by 4B.

Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20260616003046.1099490-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/psample/psample.c

index 7763662036fb7d69d4b899dc2b2c89eb9435660a..c112e1f0ccacb013671e76474645d7a735e5681d 100644 (file)
@@ -476,15 +476,17 @@ void psample_sample_packet(struct psample_group *group,
                goto error;
 
        if (data_len) {
-               int nla_len = nla_total_size(data_len);
+               int nla_len = nla_attr_size(data_len);
                struct nlattr *nla;
 
                nla = skb_put(nl_skb, nla_len);
                nla->nla_type = PSAMPLE_ATTR_DATA;
-               nla->nla_len = nla_attr_size(data_len);
+               nla->nla_len = nla_len;
 
                if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
                        goto error;
+
+               skb_put_zero(nl_skb, nla_padlen(data_len));
        }
 
 #ifdef CONFIG_INET