diff options
| author | David S. Miller <davem@davemloft.net> | 2015-04-27 23:12:34 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-27 23:12:34 -0400 |
| commit | 39376ccb1968ba9f83e2a880a8bf02ad5dea44e1 (patch) | |
| tree | 8f1299a1ac38bd64415482212a33510eb94b3f56 | |
| parent | 876a7ae65b86d8cec8efe7d15d050ac61116874e (diff) | |
| parent | 547c4b547e07dcc60874b6ef6252dd49ff74aec1 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
due to memory corruption, from Florian Westphal.
2) Fix another crash in nf_queue when used with br_netfilter. Also from
Florian.
Both fixes are related to new stuff that got in 4.0-rc.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netfilter_bridge.h | 16 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 3 |
2 files changed, 15 insertions, 4 deletions
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h index ab8f76dba668..f2fdb5a52070 100644 --- a/include/linux/netfilter_bridge.h +++ b/include/linux/netfilter_bridge.h | |||
| @@ -39,12 +39,24 @@ static inline void br_drop_fake_rtable(struct sk_buff *skb) | |||
| 39 | 39 | ||
| 40 | static inline int nf_bridge_get_physinif(const struct sk_buff *skb) | 40 | static inline int nf_bridge_get_physinif(const struct sk_buff *skb) |
| 41 | { | 41 | { |
| 42 | return skb->nf_bridge ? skb->nf_bridge->physindev->ifindex : 0; | 42 | struct nf_bridge_info *nf_bridge; |
| 43 | |||
| 44 | if (skb->nf_bridge == NULL) | ||
| 45 | return 0; | ||
| 46 | |||
| 47 | nf_bridge = skb->nf_bridge; | ||
| 48 | return nf_bridge->physindev ? nf_bridge->physindev->ifindex : 0; | ||
| 43 | } | 49 | } |
| 44 | 50 | ||
| 45 | static inline int nf_bridge_get_physoutif(const struct sk_buff *skb) | 51 | static inline int nf_bridge_get_physoutif(const struct sk_buff *skb) |
| 46 | { | 52 | { |
| 47 | return skb->nf_bridge ? skb->nf_bridge->physoutdev->ifindex : 0; | 53 | struct nf_bridge_info *nf_bridge; |
| 54 | |||
| 55 | if (skb->nf_bridge == NULL) | ||
| 56 | return 0; | ||
| 57 | |||
| 58 | nf_bridge = skb->nf_bridge; | ||
| 59 | return nf_bridge->physoutdev ? nf_bridge->physoutdev->ifindex : 0; | ||
| 48 | } | 60 | } |
| 49 | 61 | ||
| 50 | static inline struct net_device * | 62 | static inline struct net_device * |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 78af83bc9c8e..ad9d11fb29fd 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -4340,7 +4340,6 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, | |||
| 4340 | case NFT_CONTINUE: | 4340 | case NFT_CONTINUE: |
| 4341 | case NFT_BREAK: | 4341 | case NFT_BREAK: |
| 4342 | case NFT_RETURN: | 4342 | case NFT_RETURN: |
| 4343 | desc->len = sizeof(data->verdict); | ||
| 4344 | break; | 4343 | break; |
| 4345 | case NFT_JUMP: | 4344 | case NFT_JUMP: |
| 4346 | case NFT_GOTO: | 4345 | case NFT_GOTO: |
| @@ -4355,10 +4354,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, | |||
| 4355 | 4354 | ||
| 4356 | chain->use++; | 4355 | chain->use++; |
| 4357 | data->verdict.chain = chain; | 4356 | data->verdict.chain = chain; |
| 4358 | desc->len = sizeof(data); | ||
| 4359 | break; | 4357 | break; |
| 4360 | } | 4358 | } |
| 4361 | 4359 | ||
| 4360 | desc->len = sizeof(data->verdict); | ||
| 4362 | desc->type = NFT_DATA_VERDICT; | 4361 | desc->type = NFT_DATA_VERDICT; |
| 4363 | return 0; | 4362 | return 0; |
| 4364 | } | 4363 | } |