net: netlink: catch attempts to send empty messages

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

syzbot can figure out a way to redirect a netlink message to a tap.
Sending empty skbs to devices is not valid and we end up hitting
a skb_assert_len() in __dev_queue_xmit().

Make catching these mistakes easier, assert the skb size directly
in netlink core.

Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241218024400.824355-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 1 year ago 75e2c86c 3fc87cb9

1 changed file

expand all

net

netlink

af_netlink.c

net/netlink/af_netlink.c

··· 1287 1287 { 1288 1288 int delta; 1289 1289 1290 + skb_assert_len(skb); 1290 1291 WARN_ON(skb->sk != NULL); 1291 1292 delta = skb->end - skb->tail; 1292 1293 if (is_vmalloc_addr(skb->head) || delta * 2 < skb->truesize)