From 493cbf585d8f9a2a79a86e5bbca600ca1ea8ab60 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 14 Nov 2016 22:41:26 +0100
Subject: mnl: use nftnl_set_elems_nlmsg_build_payload_iter() when deleting
 elements

Otherwise, nft crashes when deleting a very large number of elements.

*** stack smashing detected ***: nft terminated
Segmentation fault

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 52875f4a..137ecf0d 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -867,8 +867,9 @@ static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
 	return MNL_CB_OK;
 }
 
-int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
-			      uint32_t seqnum)
+static int mnl_nft_setelem_batch(struct nftnl_set *nls,
+				 enum nf_tables_msg_types cmd,
+				 unsigned int flags, uint32_t seqnum)
 {
 	struct nlmsghdr *nlh;
 	struct nftnl_set_elems_iter *iter;
@@ -880,8 +881,7 @@ int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
 
 	do {
 		nlh = nftnl_set_elem_nlmsg_build_hdr(nftnl_batch_buffer(batch),
-				NFT_MSG_NEWSETELEM,
-				nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
+				cmd, nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
 				NLM_F_CREATE | flags, seqnum);
 		ret = nftnl_set_elems_nlmsg_build_payload_iter(nlh, iter);
 		mnl_nft_batch_continue();
@@ -892,19 +892,16 @@ int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
 	return 0;
 }
 
-int mnl_nft_setelem_batch_del(struct nftnl_set *nls, unsigned int flags,
+int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
 			      uint32_t seqnum)
 {
-	struct nlmsghdr *nlh;
-
-	nlh = nftnl_set_elem_nlmsg_build_hdr(nftnl_batch_buffer(batch),
-			NFT_MSG_DELSETELEM,
-			nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
-			0, seqnum);
-	nftnl_set_elems_nlmsg_build_payload(nlh, nls);
-	mnl_nft_batch_continue();
+	return mnl_nft_setelem_batch(nls, NFT_MSG_NEWSETELEM, flags, seqnum);
+}
 
-	return 0;
+int mnl_nft_setelem_batch_del(struct nftnl_set *nls, unsigned int flags,
+			      uint32_t seqnum)
+{
+	return mnl_nft_setelem_batch(nls, NFT_MSG_DELSETELEM, flags, seqnum);
 }
 
 int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls)
-- 
cgit v1.2.3