[TIPC]: Fix infinite loop in netlink handler

The tipc netlink config handler uses the nlmsg_pid from the request header as destination for its reply. If the application initialized nlmsg_pid to 0, the reply is looped back to the kernel, causing hangup. Fix: use nlmsg_pid of the skb that triggered the request. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>

[TIPC]: Fix infinite loop in netlink handler
The tipc netlink config handler uses the nlmsg_pid from the request header as destination for its reply. If the application initialized nlmsg_pid to 0, the reply is looped back to the kernel, causing hangup. Fix: use nlmsg_pid of the skb that triggered the request. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal · David S. Miller
1 parent dbbeb2f991
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/tipc/netlink.c
@@ -60,7 +60,7 @@
 		rep_nlh = nlmsg_hdr(rep_buf);
 		memcpy(rep_nlh, req_nlh, hdr_space);
 		rep_nlh->nlmsg_len = rep_buf->len;
-		genlmsg_unicast(rep_buf, req_nlh->nlmsg_pid);
+		genlmsg_unicast(rep_buf, NETLINK_CB(skb).pid);
 	}
  
 	return 0;
...	...	@@ -60,7 +60,7 @@
60	60	rep_nlh = nlmsg_hdr(rep_buf);
61	61	memcpy(rep_nlh, req_nlh, hdr_space);
62	62	rep_nlh->nlmsg_len = rep_buf->len;
63		- genlmsg_unicast(rep_buf, req_nlh->nlmsg_pid);
	63	+ genlmsg_unicast(rep_buf, NETLINK_CB(skb).pid);
64	64	}
65	65
66	66	return 0;