nfnetlink: do not ack malformed messages

Commit 0628b123c96d ("netfilter: nfnetlink: add batch support and use it
from nf_tables") introduced a bug leading to various crashes in netlink_ack
when netlink message with invalid nlmsg_len was sent by an unprivileged
user.

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/netfilter/nfnetlink.c

@@ -363,13 +363,15 @@ static void nfnetlink_rcv(struct sk_buff *skb)
 	struct net *net = sock_net(skb->sk);
 	int msglen;
 
-	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
-		return netlink_ack(skb, nlh, -EPERM);
-
 	if (nlh->nlmsg_len < NLMSG_HDRLEN ||
 	    skb->len < nlh->nlmsg_len)
 		return;
 
+	if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+		netlink_ack(skb, nlh, -EPERM);
+		return;
+	}
+
 	if (nlh->nlmsg_type == NFNL_MSG_BATCH_BEGIN) {
 		struct nfgenmsg *nfgenmsg;