diff options
| author | David S. Miller <davem@davemloft.net> | 2017-04-14 10:47:13 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-04-14 10:47:13 -0400 |
| commit | f4c13c8ec56e70eeff3e365e0c5fcdad16845b32 (patch) | |
| tree | 0457df13f26af1b2b7f0ef9f0b470a6013cf98f8 /net | |
| parent | 14cf4a771b3098e431d2677e3533bdd962e478d8 (diff) | |
| parent | fe50543c194e2e1aee2f3eba41fcafd187b3dbde (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Missing TCP header sanity check in TCPMSS target, from Eric Dumazet.
2) Incorrect event message type for related conntracks created via
ctnetlink, from Liping Zhang.
3) Fix incorrect rcu locking when handling helpers from ctnetlink,
from Gao feng.
4) Fix missing rcu locking when updating helper, from Liping Zhang.
5) Fix missing read_lock_bh when iterating over list of device addresses
from TPROXY and redirect, also from Liping.
6) Fix crash when trying to dump expectations from conntrack with no
helper via ctnetlink, from Liping.
7) Missing RCU protection to expecation list update given ctnetlink
iterates over the list under rcu read lock side, from Liping too.
8) Don't dump autogenerated seed in nft_hash to userspace, this is
very confusing to the user, again from Liping.
9) Fix wrong conntrack netns module refcount in ipt_CLUSTERIP,
from Gao feng.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 17 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 41 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_redirect.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nft_hash.c | 10 | ||||
| -rw-r--r-- | net/netfilter/xt_TCPMSS.c | 6 | ||||
| -rw-r--r-- | net/netfilter/xt_TPROXY.c | 5 |
8 files changed, 62 insertions, 25 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 52f26459efc3..9b8841316e7b 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
| @@ -461,7 +461,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par) | |||
| 461 | 461 | ||
| 462 | clusterip_config_put(cipinfo->config); | 462 | clusterip_config_put(cipinfo->config); |
| 463 | 463 | ||
| 464 | nf_ct_netns_get(par->net, par->family); | 464 | nf_ct_netns_put(par->net, par->family); |
| 465 | } | 465 | } |
| 466 | 466 | ||
| 467 | #ifdef CONFIG_COMPAT | 467 | #ifdef CONFIG_COMPAT |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 4b2e1fb28bb4..d80073037856 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -57,7 +57,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, | |||
| 57 | hlist_del_rcu(&exp->hnode); | 57 | hlist_del_rcu(&exp->hnode); |
| 58 | net->ct.expect_count--; | 58 | net->ct.expect_count--; |
| 59 | 59 | ||
| 60 | hlist_del(&exp->lnode); | 60 | hlist_del_rcu(&exp->lnode); |
| 61 | master_help->expecting[exp->class]--; | 61 | master_help->expecting[exp->class]--; |
| 62 | 62 | ||
| 63 | nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report); | 63 | nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report); |
| @@ -363,7 +363,7 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) | |||
| 363 | /* two references : one for hash insert, one for the timer */ | 363 | /* two references : one for hash insert, one for the timer */ |
| 364 | atomic_add(2, &exp->use); | 364 | atomic_add(2, &exp->use); |
| 365 | 365 | ||
| 366 | hlist_add_head(&exp->lnode, &master_help->expectations); | 366 | hlist_add_head_rcu(&exp->lnode, &master_help->expectations); |
| 367 | master_help->expecting[exp->class]++; | 367 | master_help->expecting[exp->class]++; |
| 368 | 368 | ||
| 369 | hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]); | 369 | hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]); |
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 6dc44d9b4190..4eeb3418366a 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
| @@ -158,16 +158,25 @@ nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum) | |||
| 158 | { | 158 | { |
| 159 | struct nf_conntrack_helper *h; | 159 | struct nf_conntrack_helper *h; |
| 160 | 160 | ||
| 161 | rcu_read_lock(); | ||
| 162 | |||
| 161 | h = __nf_conntrack_helper_find(name, l3num, protonum); | 163 | h = __nf_conntrack_helper_find(name, l3num, protonum); |
| 162 | #ifdef CONFIG_MODULES | 164 | #ifdef CONFIG_MODULES |
| 163 | if (h == NULL) { | 165 | if (h == NULL) { |
| 164 | if (request_module("nfct-helper-%s", name) == 0) | 166 | rcu_read_unlock(); |
| 167 | if (request_module("nfct-helper-%s", name) == 0) { | ||
| 168 | rcu_read_lock(); | ||
| 165 | h = __nf_conntrack_helper_find(name, l3num, protonum); | 169 | h = __nf_conntrack_helper_find(name, l3num, protonum); |
| 170 | } else { | ||
| 171 | return h; | ||
| 172 | } | ||
| 166 | } | 173 | } |
| 167 | #endif | 174 | #endif |
| 168 | if (h != NULL && !try_module_get(h->me)) | 175 | if (h != NULL && !try_module_get(h->me)) |
| 169 | h = NULL; | 176 | h = NULL; |
| 170 | 177 | ||
| 178 | rcu_read_unlock(); | ||
| 179 | |||
| 171 | return h; | 180 | return h; |
| 172 | } | 181 | } |
| 173 | EXPORT_SYMBOL_GPL(nf_conntrack_helper_try_module_get); | 182 | EXPORT_SYMBOL_GPL(nf_conntrack_helper_try_module_get); |
| @@ -311,38 +320,36 @@ void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n) | |||
| 311 | } | 320 | } |
| 312 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister); | 321 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister); |
| 313 | 322 | ||
| 323 | /* Caller should hold the rcu lock */ | ||
| 314 | struct nf_ct_helper_expectfn * | 324 | struct nf_ct_helper_expectfn * |
| 315 | nf_ct_helper_expectfn_find_by_name(const char *name) | 325 | nf_ct_helper_expectfn_find_by_name(const char *name) |
| 316 | { | 326 | { |
| 317 | struct nf_ct_helper_expectfn *cur; | 327 | struct nf_ct_helper_expectfn *cur; |
| 318 | bool found = false; | 328 | bool found = false; |
| 319 | 329 | ||
| 320 | rcu_read_lock(); | ||
| 321 | list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { | 330 | list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { |
| 322 | if (!strcmp(cur->name, name)) { | 331 | if (!strcmp(cur->name, name)) { |
| 323 | found = true; | 332 | found = true; |
| 324 | break; | 333 | break; |
| 325 | } | 334 | } |
| 326 | } | 335 | } |
| 327 | rcu_read_unlock(); | ||
| 328 | return found ? cur : NULL; | 336 | return found ? cur : NULL; |
| 329 | } | 337 | } |
| 330 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_name); | 338 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_name); |
| 331 | 339 | ||
| 340 | /* Caller should hold the rcu lock */ | ||
| 332 | struct nf_ct_helper_expectfn * | 341 | struct nf_ct_helper_expectfn * |
| 333 | nf_ct_helper_expectfn_find_by_symbol(const void *symbol) | 342 | nf_ct_helper_expectfn_find_by_symbol(const void *symbol) |
| 334 | { | 343 | { |
| 335 | struct nf_ct_helper_expectfn *cur; | 344 | struct nf_ct_helper_expectfn *cur; |
| 336 | bool found = false; | 345 | bool found = false; |
| 337 | 346 | ||
| 338 | rcu_read_lock(); | ||
| 339 | list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { | 347 | list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { |
| 340 | if (cur->expectfn == symbol) { | 348 | if (cur->expectfn == symbol) { |
| 341 | found = true; | 349 | found = true; |
| 342 | break; | 350 | break; |
| 343 | } | 351 | } |
| 344 | } | 352 | } |
| 345 | rcu_read_unlock(); | ||
| 346 | return found ? cur : NULL; | 353 | return found ? cur : NULL; |
| 347 | } | 354 | } |
| 348 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol); | 355 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol); |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 908d858034e4..dc7dfd68fafe 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1488,11 +1488,16 @@ static int ctnetlink_change_helper(struct nf_conn *ct, | |||
| 1488 | * treat the second attempt as a no-op instead of returning | 1488 | * treat the second attempt as a no-op instead of returning |
| 1489 | * an error. | 1489 | * an error. |
| 1490 | */ | 1490 | */ |
| 1491 | if (help && help->helper && | 1491 | err = -EBUSY; |
| 1492 | !strcmp(help->helper->name, helpname)) | 1492 | if (help) { |
| 1493 | return 0; | 1493 | rcu_read_lock(); |
| 1494 | else | 1494 | helper = rcu_dereference(help->helper); |
| 1495 | return -EBUSY; | 1495 | if (helper && !strcmp(helper->name, helpname)) |
| 1496 | err = 0; | ||
| 1497 | rcu_read_unlock(); | ||
| 1498 | } | ||
| 1499 | |||
| 1500 | return err; | ||
| 1496 | } | 1501 | } |
| 1497 | 1502 | ||
| 1498 | if (!strcmp(helpname, "")) { | 1503 | if (!strcmp(helpname, "")) { |
| @@ -1929,9 +1934,9 @@ static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl, | |||
| 1929 | 1934 | ||
| 1930 | err = 0; | 1935 | err = 0; |
| 1931 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) | 1936 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) |
| 1932 | events = IPCT_RELATED; | 1937 | events = 1 << IPCT_RELATED; |
| 1933 | else | 1938 | else |
| 1934 | events = IPCT_NEW; | 1939 | events = 1 << IPCT_NEW; |
| 1935 | 1940 | ||
| 1936 | if (cda[CTA_LABELS] && | 1941 | if (cda[CTA_LABELS] && |
| 1937 | ctnetlink_attach_labels(ct, cda) == 0) | 1942 | ctnetlink_attach_labels(ct, cda) == 0) |
| @@ -2675,8 +2680,8 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 2675 | last = (struct nf_conntrack_expect *)cb->args[1]; | 2680 | last = (struct nf_conntrack_expect *)cb->args[1]; |
| 2676 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { | 2681 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { |
| 2677 | restart: | 2682 | restart: |
| 2678 | hlist_for_each_entry(exp, &nf_ct_expect_hash[cb->args[0]], | 2683 | hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], |
| 2679 | hnode) { | 2684 | hnode) { |
| 2680 | if (l3proto && exp->tuple.src.l3num != l3proto) | 2685 | if (l3proto && exp->tuple.src.l3num != l3proto) |
| 2681 | continue; | 2686 | continue; |
| 2682 | 2687 | ||
| @@ -2727,7 +2732,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 2727 | rcu_read_lock(); | 2732 | rcu_read_lock(); |
| 2728 | last = (struct nf_conntrack_expect *)cb->args[1]; | 2733 | last = (struct nf_conntrack_expect *)cb->args[1]; |
| 2729 | restart: | 2734 | restart: |
| 2730 | hlist_for_each_entry(exp, &help->expectations, lnode) { | 2735 | hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { |
| 2731 | if (l3proto && exp->tuple.src.l3num != l3proto) | 2736 | if (l3proto && exp->tuple.src.l3num != l3proto) |
| 2732 | continue; | 2737 | continue; |
| 2733 | if (cb->args[1]) { | 2738 | if (cb->args[1]) { |
| @@ -2789,6 +2794,12 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, | |||
| 2789 | return -ENOENT; | 2794 | return -ENOENT; |
| 2790 | 2795 | ||
| 2791 | ct = nf_ct_tuplehash_to_ctrack(h); | 2796 | ct = nf_ct_tuplehash_to_ctrack(h); |
| 2797 | /* No expectation linked to this connection tracking. */ | ||
| 2798 | if (!nfct_help(ct)) { | ||
| 2799 | nf_ct_put(ct); | ||
| 2800 | return 0; | ||
| 2801 | } | ||
| 2802 | |||
| 2792 | c.data = ct; | 2803 | c.data = ct; |
| 2793 | 2804 | ||
| 2794 | err = netlink_dump_start(ctnl, skb, nlh, &c); | 2805 | err = netlink_dump_start(ctnl, skb, nlh, &c); |
| @@ -3133,23 +3144,27 @@ ctnetlink_create_expect(struct net *net, | |||
| 3133 | return -ENOENT; | 3144 | return -ENOENT; |
| 3134 | ct = nf_ct_tuplehash_to_ctrack(h); | 3145 | ct = nf_ct_tuplehash_to_ctrack(h); |
| 3135 | 3146 | ||
| 3147 | rcu_read_lock(); | ||
| 3136 | if (cda[CTA_EXPECT_HELP_NAME]) { | 3148 | if (cda[CTA_EXPECT_HELP_NAME]) { |
| 3137 | const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); | 3149 | const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); |
| 3138 | 3150 | ||
| 3139 | helper = __nf_conntrack_helper_find(helpname, u3, | 3151 | helper = __nf_conntrack_helper_find(helpname, u3, |
| 3140 | nf_ct_protonum(ct)); | 3152 | nf_ct_protonum(ct)); |
| 3141 | if (helper == NULL) { | 3153 | if (helper == NULL) { |
| 3154 | rcu_read_unlock(); | ||
| 3142 | #ifdef CONFIG_MODULES | 3155 | #ifdef CONFIG_MODULES |
| 3143 | if (request_module("nfct-helper-%s", helpname) < 0) { | 3156 | if (request_module("nfct-helper-%s", helpname) < 0) { |
| 3144 | err = -EOPNOTSUPP; | 3157 | err = -EOPNOTSUPP; |
| 3145 | goto err_ct; | 3158 | goto err_ct; |
| 3146 | } | 3159 | } |
| 3160 | rcu_read_lock(); | ||
| 3147 | helper = __nf_conntrack_helper_find(helpname, u3, | 3161 | helper = __nf_conntrack_helper_find(helpname, u3, |
| 3148 | nf_ct_protonum(ct)); | 3162 | nf_ct_protonum(ct)); |
| 3149 | if (helper) { | 3163 | if (helper) { |
| 3150 | err = -EAGAIN; | 3164 | err = -EAGAIN; |
| 3151 | goto err_ct; | 3165 | goto err_rcu; |
| 3152 | } | 3166 | } |
| 3167 | rcu_read_unlock(); | ||
| 3153 | #endif | 3168 | #endif |
| 3154 | err = -EOPNOTSUPP; | 3169 | err = -EOPNOTSUPP; |
| 3155 | goto err_ct; | 3170 | goto err_ct; |
| @@ -3159,11 +3174,13 @@ ctnetlink_create_expect(struct net *net, | |||
| 3159 | exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); | 3174 | exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); |
| 3160 | if (IS_ERR(exp)) { | 3175 | if (IS_ERR(exp)) { |
| 3161 | err = PTR_ERR(exp); | 3176 | err = PTR_ERR(exp); |
| 3162 | goto err_ct; | 3177 | goto err_rcu; |
| 3163 | } | 3178 | } |
| 3164 | 3179 | ||
| 3165 | err = nf_ct_expect_related_report(exp, portid, report); | 3180 | err = nf_ct_expect_related_report(exp, portid, report); |
| 3166 | nf_ct_expect_put(exp); | 3181 | nf_ct_expect_put(exp); |
| 3182 | err_rcu: | ||
| 3183 | rcu_read_unlock(); | ||
| 3167 | err_ct: | 3184 | err_ct: |
| 3168 | nf_ct_put(ct); | 3185 | nf_ct_put(ct); |
| 3169 | return err; | 3186 | return err; |
diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c index d43869879fcf..86067560a318 100644 --- a/net/netfilter/nf_nat_redirect.c +++ b/net/netfilter/nf_nat_redirect.c | |||
| @@ -101,11 +101,13 @@ nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, | |||
| 101 | rcu_read_lock(); | 101 | rcu_read_lock(); |
| 102 | idev = __in6_dev_get(skb->dev); | 102 | idev = __in6_dev_get(skb->dev); |
| 103 | if (idev != NULL) { | 103 | if (idev != NULL) { |
| 104 | read_lock_bh(&idev->lock); | ||
| 104 | list_for_each_entry(ifa, &idev->addr_list, if_list) { | 105 | list_for_each_entry(ifa, &idev->addr_list, if_list) { |
| 105 | newdst = ifa->addr; | 106 | newdst = ifa->addr; |
| 106 | addr = true; | 107 | addr = true; |
| 107 | break; | 108 | break; |
| 108 | } | 109 | } |
| 110 | read_unlock_bh(&idev->lock); | ||
| 109 | } | 111 | } |
| 110 | rcu_read_unlock(); | 112 | rcu_read_unlock(); |
| 111 | 113 | ||
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index eb2721af898d..c4dad1254ead 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c | |||
| @@ -21,6 +21,7 @@ struct nft_hash { | |||
| 21 | enum nft_registers sreg:8; | 21 | enum nft_registers sreg:8; |
| 22 | enum nft_registers dreg:8; | 22 | enum nft_registers dreg:8; |
| 23 | u8 len; | 23 | u8 len; |
| 24 | bool autogen_seed:1; | ||
| 24 | u32 modulus; | 25 | u32 modulus; |
| 25 | u32 seed; | 26 | u32 seed; |
| 26 | u32 offset; | 27 | u32 offset; |
| @@ -82,10 +83,12 @@ static int nft_hash_init(const struct nft_ctx *ctx, | |||
| 82 | if (priv->offset + priv->modulus - 1 < priv->offset) | 83 | if (priv->offset + priv->modulus - 1 < priv->offset) |
| 83 | return -EOVERFLOW; | 84 | return -EOVERFLOW; |
| 84 | 85 | ||
| 85 | if (tb[NFTA_HASH_SEED]) | 86 | if (tb[NFTA_HASH_SEED]) { |
| 86 | priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED])); | 87 | priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED])); |
| 87 | else | 88 | } else { |
| 89 | priv->autogen_seed = true; | ||
| 88 | get_random_bytes(&priv->seed, sizeof(priv->seed)); | 90 | get_random_bytes(&priv->seed, sizeof(priv->seed)); |
| 91 | } | ||
| 89 | 92 | ||
| 90 | return nft_validate_register_load(priv->sreg, len) && | 93 | return nft_validate_register_load(priv->sreg, len) && |
| 91 | nft_validate_register_store(ctx, priv->dreg, NULL, | 94 | nft_validate_register_store(ctx, priv->dreg, NULL, |
| @@ -105,7 +108,8 @@ static int nft_hash_dump(struct sk_buff *skb, | |||
| 105 | goto nla_put_failure; | 108 | goto nla_put_failure; |
| 106 | if (nla_put_be32(skb, NFTA_HASH_MODULUS, htonl(priv->modulus))) | 109 | if (nla_put_be32(skb, NFTA_HASH_MODULUS, htonl(priv->modulus))) |
| 107 | goto nla_put_failure; | 110 | goto nla_put_failure; |
| 108 | if (nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed))) | 111 | if (!priv->autogen_seed && |
| 112 | nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed))) | ||
| 109 | goto nla_put_failure; | 113 | goto nla_put_failure; |
| 110 | if (priv->offset != 0) | 114 | if (priv->offset != 0) |
| 111 | if (nla_put_be32(skb, NFTA_HASH_OFFSET, htonl(priv->offset))) | 115 | if (nla_put_be32(skb, NFTA_HASH_OFFSET, htonl(priv->offset))) |
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 27241a767f17..c64aca611ac5 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
| @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
| 104 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); | 104 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); |
| 105 | tcp_hdrlen = tcph->doff * 4; | 105 | tcp_hdrlen = tcph->doff * 4; |
| 106 | 106 | ||
| 107 | if (len < tcp_hdrlen) | 107 | if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) |
| 108 | return -1; | 108 | return -1; |
| 109 | 109 | ||
| 110 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { | 110 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { |
| @@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
| 152 | if (len > tcp_hdrlen) | 152 | if (len > tcp_hdrlen) |
| 153 | return 0; | 153 | return 0; |
| 154 | 154 | ||
| 155 | /* tcph->doff has 4 bits, do not wrap it to 0 */ | ||
| 156 | if (tcp_hdrlen >= 15 * 4) | ||
| 157 | return 0; | ||
| 158 | |||
| 155 | /* | 159 | /* |
| 156 | * MSS Option not found ?! add it.. | 160 | * MSS Option not found ?! add it.. |
| 157 | */ | 161 | */ |
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index 80cb7babeb64..df7f1df00330 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c | |||
| @@ -393,7 +393,8 @@ tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, | |||
| 393 | 393 | ||
| 394 | rcu_read_lock(); | 394 | rcu_read_lock(); |
| 395 | indev = __in6_dev_get(skb->dev); | 395 | indev = __in6_dev_get(skb->dev); |
| 396 | if (indev) | 396 | if (indev) { |
| 397 | read_lock_bh(&indev->lock); | ||
| 397 | list_for_each_entry(ifa, &indev->addr_list, if_list) { | 398 | list_for_each_entry(ifa, &indev->addr_list, if_list) { |
| 398 | if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED)) | 399 | if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED)) |
| 399 | continue; | 400 | continue; |
| @@ -401,6 +402,8 @@ tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, | |||
| 401 | laddr = &ifa->addr; | 402 | laddr = &ifa->addr; |
| 402 | break; | 403 | break; |
| 403 | } | 404 | } |
| 405 | read_unlock_bh(&indev->lock); | ||
| 406 | } | ||
| 404 | rcu_read_unlock(); | 407 | rcu_read_unlock(); |
| 405 | 408 | ||
| 406 | return laddr ? laddr : daddr; | 409 | return laddr ? laddr : daddr; |