From a0f466387dbca955f3681d7a163a5af174df0a4b Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Tue, 7 Jan 2020 07:27:40 +0100
Subject: sys/linux: fix 2 netlink data layout bugs

1. Turns out that NLA_F_NESTED is actually used and checked
(nla_parse_nested checks it, while nla_parse_nested_deprecated does not).
Similarly, ipset extensively checks NLA_F_NET_BYTEORDER.
So we need these bits.

2. nla_len must not account for the trailing alighnment padding.
This means we set wrong len for payloads that are not multiple of 4
(int8/int16/strings/arrays/some structs/etc).
---
 sys/linux/socket_netlink.txt | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'sys/linux/socket_netlink.txt')

diff --git a/sys/linux/socket_netlink.txt b/sys/linux/socket_netlink.txt
index e459514a3..9efc4e8b7 100644
--- a/sys/linux/socket_netlink.txt
+++ b/sys/linux/socket_netlink.txt
@@ -92,24 +92,37 @@ type netlink_msg_t[TYPE, PAYLOAD, ATTRS] {
 type netlink_msg[TYPE, PAYLOAD, ATTRS] netlink_msg_t[const[TYPE, int16], PAYLOAD, ATTRS]
 
 type nlattr_t[TYPE, PAYLOAD] {
-	nla_len		len[parent, int16]
+	nla_len		offsetof[size, int16]
 	nla_type	TYPE
 	payload		PAYLOAD
+	size		void
+} [packed, align_4]
+
+type nlattr_tt[TYPE, NETORDER, NESTED, PAYLOAD] {
+	nla_len			offsetof[size, int16]
+	nla_type		TYPE
+	NLA_F_NET_BYTEORDER	const[NETORDER, int16:1]
+	NLA_F_NESTED		const[NESTED, int16:1]
+	payload			PAYLOAD
+	size			void
 } [packed, align_4]
 
-# NL80211 has 150 attributes.
-type nlattr_anytype[PAYLOAD] nlattr_t[int16[0:150], PAYLOAD]
 type nlattr[TYPE, PAYLOAD] nlattr_t[const[TYPE, int16], PAYLOAD]
+# nlattr with NLA_F_NESTED set.
+type nlnest[TYPE, PAYLOAD] nlattr_tt[const[TYPE, int16:14], 0, 1, PAYLOAD]
+# nlattr with NLA_F_NET_BYTEORDER set (unused for now).
+# type nlnetw[TYPE, PAYLOAD] nlattr_tt[const[TYPE, int16:14], 1, 0, PAYLOAD]
 
 nl_generic_attr [
 	generic	array[int8]
-	typed	nlattr_anytype[nl_generic_attr_data]
-	nested	nlattr_anytype[array[nl_generic_attr_nonested]]
+# NL80211 has 150 attributes.
+	typed	nlattr_tt[int16:14[0:150], 0, 0, nl_generic_attr_data]
+	nested	nlattr_tt[int16:14[0:150], 0, 1, array[nl_generic_attr_nonested]]
 ] [varlen]
 
 nl_generic_attr_nonested [
 	generic	array[int8]
-	typed	nlattr_anytype[nl_generic_attr_data]
+	typed	nlattr_tt[int16:14[0:150], 0, 0, nl_generic_attr_data]
 ] [varlen]
 
 nl_generic_attr_data [
-- 
cgit mrf-deployment