Skip to content

Commit 382de75

Browse files
MikeWang000000MikeWang000000
committed
tmp: fix kernel crash (?)
1 parent 84c3b15 commit 382de75

1 file changed

Lines changed: 25 additions & 3 deletions

File tree

src/nfqueue.c

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@
4242
static int fd = -1;
4343
static struct nfq_handle *h = NULL;
4444
static struct nfq_q_handle *qh = NULL;
45+
static uint8_t *payload_buffer = NULL;
46+
static const size_t payload_bufsiz = 65535;
4547

4648
static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
4749
struct nfq_data *nfa, void *data)
@@ -74,6 +76,13 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
7476
goto ret_accept;
7577
}
7678

79+
if ((size_t) pkt_len > payload_bufsiz) {
80+
EE("ERROR: packet is too big: %d", pkt_len);
81+
goto ret_accept;
82+
}
83+
84+
memcpy(payload_buffer, pkt_data, pkt_len);
85+
7786
memset(&sll, 0, sizeof(sll));
7887
sll.sll_family = AF_PACKET;
7988
sll.sll_protocol = ph->hw_protocol;
@@ -98,14 +107,14 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
98107
memset(sll.sll_addr, 0, sizeof(sll.sll_addr));
99108
}
100109

101-
verdict = fh_rawsend_handle(&sll, pkt_data, pkt_len, &modified);
110+
verdict = fh_rawsend_handle(&sll, payload_buffer, pkt_len, &modified);
102111
if (verdict < 0) {
103112
EE(T(fh_rawsend_handle));
104113
goto ret_accept;
105114
}
106115

107116
if (modified && verdict != NF_DROP) {
108-
return nfq_set_verdict(qh, pkt_id, verdict, pkt_len, pkt_data);
117+
return nfq_set_verdict(qh, pkt_id, verdict, pkt_len, payload_buffer);
109118
}
110119

111120
return nfq_set_verdict(qh, pkt_id, verdict, 0, NULL);
@@ -121,6 +130,12 @@ int fh_nfq_setup(void)
121130
char *err_hint;
122131
socklen_t opt_len;
123132

133+
payload_buffer = malloc(payload_bufsiz);
134+
if (!payload_buffer) {
135+
E("ERROR: malloc(): %s", strerror(errno));
136+
return -1;
137+
}
138+
124139
h = nfq_open();
125140
if (!h) {
126141
switch (errno) {
@@ -134,7 +149,7 @@ int fh_nfq_setup(void)
134149
err_hint = "";
135150
}
136151
E("ERROR: nfq_open(): %s%s", strerror(errno), err_hint);
137-
return -1;
152+
goto free_buff;
138153
}
139154

140155
qh = nfq_create_queue(h, g_ctx.nfqnum, &callback, NULL);
@@ -192,6 +207,9 @@ int fh_nfq_setup(void)
192207

193208
return 0;
194209

210+
free_buff:
211+
free(payload_buffer);
212+
195213
destroy_queue:
196214
nfq_destroy_queue(qh);
197215

@@ -214,6 +232,10 @@ void fh_nfq_cleanup(void)
214232
h = NULL;
215233
fd = -1;
216234
}
235+
236+
if (payload_buffer) {
237+
free(payload_buffer);
238+
}
217239
}
218240

219241

0 commit comments

Comments
 (0)