diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/netfilter/Kconfig | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 12 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 12 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_pptp.c | 1 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 6 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_rateest.c | 9 |
7 files changed, 21 insertions, 25 deletions
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index ba6f73eb06c6..a9aff9c7d027 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig | |||
@@ -4,7 +4,7 @@ | |||
4 | 4 | ||
5 | menuconfig BRIDGE_NF_EBTABLES | 5 | menuconfig BRIDGE_NF_EBTABLES |
6 | tristate "Ethernet Bridge tables (ebtables) support" | 6 | tristate "Ethernet Bridge tables (ebtables) support" |
7 | depends on BRIDGE && BRIDGE_NETFILTER | 7 | depends on BRIDGE && NETFILTER |
8 | select NETFILTER_XTABLES | 8 | select NETFILTER_XTABLES |
9 | help | 9 | help |
10 | ebtables is a general, extensible frame/packet identification | 10 | ebtables is a general, extensible frame/packet identification |
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index 5c9b9d963918..e59aabd0eae4 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
218 | return skb; | 218 | return skb; |
219 | 219 | ||
220 | nlmsg_failure: | 220 | nlmsg_failure: |
221 | kfree_skb(skb); | ||
221 | *errp = -EINVAL; | 222 | *errp = -EINVAL; |
222 | printk(KERN_ERR "ip_queue: error creating packet message\n"); | 223 | printk(KERN_ERR "ip_queue: error creating packet message\n"); |
223 | return NULL; | 224 | return NULL; |
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len) | |||
313 | { | 314 | { |
314 | struct nf_queue_entry *entry; | 315 | struct nf_queue_entry *entry; |
315 | 316 | ||
316 | if (vmsg->value > NF_MAX_VERDICT) | 317 | if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN) |
317 | return -EINVAL; | 318 | return -EINVAL; |
318 | 319 | ||
319 | entry = ipq_find_dequeue_entry(vmsg->id); | 320 | entry = ipq_find_dequeue_entry(vmsg->id); |
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg, | |||
358 | break; | 359 | break; |
359 | 360 | ||
360 | case IPQM_VERDICT: | 361 | case IPQM_VERDICT: |
361 | if (pmsg->msg.verdict.value > NF_MAX_VERDICT) | 362 | status = ipq_set_verdict(&pmsg->msg.verdict, |
362 | status = -EINVAL; | 363 | len - sizeof(*pmsg)); |
363 | else | 364 | break; |
364 | status = ipq_set_verdict(&pmsg->msg.verdict, | ||
365 | len - sizeof(*pmsg)); | ||
366 | break; | ||
367 | default: | 365 | default: |
368 | status = -EINVAL; | 366 | status = -EINVAL; |
369 | } | 367 | } |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index 249394863284..e63c3972a739 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
218 | return skb; | 218 | return skb; |
219 | 219 | ||
220 | nlmsg_failure: | 220 | nlmsg_failure: |
221 | kfree_skb(skb); | ||
221 | *errp = -EINVAL; | 222 | *errp = -EINVAL; |
222 | printk(KERN_ERR "ip6_queue: error creating packet message\n"); | 223 | printk(KERN_ERR "ip6_queue: error creating packet message\n"); |
223 | return NULL; | 224 | return NULL; |
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len) | |||
313 | { | 314 | { |
314 | struct nf_queue_entry *entry; | 315 | struct nf_queue_entry *entry; |
315 | 316 | ||
316 | if (vmsg->value > NF_MAX_VERDICT) | 317 | if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN) |
317 | return -EINVAL; | 318 | return -EINVAL; |
318 | 319 | ||
319 | entry = ipq_find_dequeue_entry(vmsg->id); | 320 | entry = ipq_find_dequeue_entry(vmsg->id); |
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg, | |||
358 | break; | 359 | break; |
359 | 360 | ||
360 | case IPQM_VERDICT: | 361 | case IPQM_VERDICT: |
361 | if (pmsg->msg.verdict.value > NF_MAX_VERDICT) | 362 | status = ipq_set_verdict(&pmsg->msg.verdict, |
362 | status = -EINVAL; | 363 | len - sizeof(*pmsg)); |
363 | else | 364 | break; |
364 | status = ipq_set_verdict(&pmsg->msg.verdict, | ||
365 | len - sizeof(*pmsg)); | ||
366 | break; | ||
367 | default: | 365 | default: |
368 | status = -EINVAL; | 366 | status = -EINVAL; |
369 | } | 367 | } |
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 2fd4565144de..31d56b23b9e9 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c | |||
@@ -364,6 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb, | |||
364 | break; | 364 | break; |
365 | 365 | ||
366 | case PPTP_WAN_ERROR_NOTIFY: | 366 | case PPTP_WAN_ERROR_NOTIFY: |
367 | case PPTP_SET_LINK_INFO: | ||
367 | case PPTP_ECHO_REQUEST: | 368 | case PPTP_ECHO_REQUEST: |
368 | case PPTP_ECHO_REPLY: | 369 | case PPTP_ECHO_REPLY: |
369 | /* I don't have to explain these ;) */ | 370 | /* I don't have to explain these ;) */ |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 37bf94394be0..8235b86b4e87 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb, | |||
409 | if (opsize < 2) /* "silly options" */ | 409 | if (opsize < 2) /* "silly options" */ |
410 | return; | 410 | return; |
411 | if (opsize > length) | 411 | if (opsize > length) |
412 | break; /* don't parse partial options */ | 412 | return; /* don't parse partial options */ |
413 | 413 | ||
414 | if (opcode == TCPOPT_SACK_PERM | 414 | if (opcode == TCPOPT_SACK_PERM |
415 | && opsize == TCPOLEN_SACK_PERM) | 415 | && opsize == TCPOLEN_SACK_PERM) |
@@ -447,7 +447,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
447 | BUG_ON(ptr == NULL); | 447 | BUG_ON(ptr == NULL); |
448 | 448 | ||
449 | /* Fast path for timestamp-only option */ | 449 | /* Fast path for timestamp-only option */ |
450 | if (length == TCPOLEN_TSTAMP_ALIGNED*4 | 450 | if (length == TCPOLEN_TSTAMP_ALIGNED |
451 | && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24) | 451 | && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24) |
452 | | (TCPOPT_NOP << 16) | 452 | | (TCPOPT_NOP << 16) |
453 | | (TCPOPT_TIMESTAMP << 8) | 453 | | (TCPOPT_TIMESTAMP << 8) |
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
469 | if (opsize < 2) /* "silly options" */ | 469 | if (opsize < 2) /* "silly options" */ |
470 | return; | 470 | return; |
471 | if (opsize > length) | 471 | if (opsize > length) |
472 | break; /* don't parse partial options */ | 472 | return; /* don't parse partial options */ |
473 | 473 | ||
474 | if (opcode == TCPOPT_SACK | 474 | if (opcode == TCPOPT_SACK |
475 | && opsize >= (TCPOLEN_SACK_BASE | 475 | && opsize >= (TCPOLEN_SACK_BASE |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 00bd475eab4b..a80b0cb03f17 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -646,8 +646,8 @@ verdicthdr_get(const struct nlattr * const nfqa[]) | |||
646 | return NULL; | 646 | return NULL; |
647 | 647 | ||
648 | vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]); | 648 | vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]); |
649 | verdict = ntohl(vhdr->verdict); | 649 | verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK; |
650 | if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT) | 650 | if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN) |
651 | return NULL; | 651 | return NULL; |
652 | return vhdr; | 652 | return vhdr; |
653 | } | 653 | } |
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c index 76a083184d8e..ed0db15ab00e 100644 --- a/net/netfilter/xt_rateest.c +++ b/net/netfilter/xt_rateest.c | |||
@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
78 | { | 78 | { |
79 | struct xt_rateest_match_info *info = par->matchinfo; | 79 | struct xt_rateest_match_info *info = par->matchinfo; |
80 | struct xt_rateest *est1, *est2; | 80 | struct xt_rateest *est1, *est2; |
81 | int ret = false; | 81 | int ret = -EINVAL; |
82 | 82 | ||
83 | if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | | 83 | if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | |
84 | XT_RATEEST_MATCH_REL)) != 1) | 84 | XT_RATEEST_MATCH_REL)) != 1) |
@@ -101,13 +101,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
101 | if (!est1) | 101 | if (!est1) |
102 | goto err1; | 102 | goto err1; |
103 | 103 | ||
104 | est2 = NULL; | ||
104 | if (info->flags & XT_RATEEST_MATCH_REL) { | 105 | if (info->flags & XT_RATEEST_MATCH_REL) { |
105 | est2 = xt_rateest_lookup(info->name2); | 106 | est2 = xt_rateest_lookup(info->name2); |
106 | if (!est2) | 107 | if (!est2) |
107 | goto err2; | 108 | goto err2; |
108 | } else | 109 | } |
109 | est2 = NULL; | ||
110 | |||
111 | 110 | ||
112 | info->est1 = est1; | 111 | info->est1 = est1; |
113 | info->est2 = est2; | 112 | info->est2 = est2; |
@@ -116,7 +115,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
116 | err2: | 115 | err2: |
117 | xt_rateest_put(est1); | 116 | xt_rateest_put(est1); |
118 | err1: | 117 | err1: |
119 | return -EINVAL; | 118 | return ret; |
120 | } | 119 | } |
121 | 120 | ||
122 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) | 121 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) |