diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-14 19:01:25 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-22 12:31:11 +0200 |
| commit | b1a348208a9e5749860a95ceb0307fc16f2edb7f (patch) | |
| tree | c2ceabc7ccc33a204712a05726e25bb5cf094ca6 /src/rbtree.c | |
| parent | 5f26c71080f3744b50d60e00bc50805d833524eb (diff) | |
src: rework batching logic to fix possible use of uninitialized pages
This patch reworks the batching logic in several aspects:
1) New batch pages are now always added into the batch page list in
first place. Then, in the send path, if the last batch page is
empty, it is removed from the batch list.
2) nft_batch_page_add() is only called if the current batch page is
full. Therefore, it is guaranteed to find a valid netlink message
in the batch page when moving the tail that didn't fit into a new
batch page.
3) The batch paging is initialized and released from the nft_netlink()
path.
4) No more global struct mnl_nlmsg_batch *batch that points to the
current batch page. Instead, it is retrieved from the tail of the
batch list, which indicates the current batch page.
This patch fixes a crash due to access of uninitialized memory area in
due to calling batch_page_add() with an empty batch in the send path,
and the memleak of the batch page contents. Reported in:
http://patchwork.ozlabs.org/patch/367085/
http://patchwork.ozlabs.org/patch/367774/
The patch is larger, but this saves the zeroing of the batch page area.
Reported-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rbtree.c')
0 files changed, 0 insertions, 0 deletions