aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-11-21 00:12:39 -0500
committerDavid S. Miller <davem@davemloft.net>2014-11-21 00:12:39 -0500
commit7e09dccd07518729fe3cf586beb83acffa2e64ca (patch)
tree2ef7558f6db8bd9fd7355d8194d1b5d871edf63f
parentc8577819009473311d5f74112e136f17d7859ee1 (diff)
parentf0b4eeced518c632210ef2aea44fc92cc9e86cce (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains two bugfixes for your net tree, they are: 1) Validate netlink group from nfnetlink to avoid an out of bound array access. This should only happen with superuser priviledges though. Discovered by Andrey Ryabinin using trinity. 2) Don't push ethernet header before calling the netfilter output hook for multicast traffic, this breaks ebtables since it expects to see skb->data pointing to the network header, patch from Linus Luessing. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--net/bridge/br_multicast.c3
-rw-r--r--net/netfilter/nfnetlink.c12
2 files changed, 12 insertions, 3 deletions
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 648d79ccf462..c465876c7861 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -813,10 +813,9 @@ static void __br_multicast_send_query(struct net_bridge *br,
813 return; 813 return;
814 814
815 if (port) { 815 if (port) {
816 __skb_push(skb, sizeof(struct ethhdr));
817 skb->dev = port->dev; 816 skb->dev = port->dev;
818 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 817 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
819 dev_queue_xmit); 818 br_dev_queue_push_xmit);
820 } else { 819 } else {
821 br_multicast_select_own_querier(br, ip, skb); 820 br_multicast_select_own_querier(br, ip, skb);
822 netif_rx(skb); 821 netif_rx(skb);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 6c5a915cfa75..13c2e17bbe27 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -47,6 +47,8 @@ static const int nfnl_group2type[NFNLGRP_MAX+1] = {
47 [NFNLGRP_CONNTRACK_EXP_NEW] = NFNL_SUBSYS_CTNETLINK_EXP, 47 [NFNLGRP_CONNTRACK_EXP_NEW] = NFNL_SUBSYS_CTNETLINK_EXP,
48 [NFNLGRP_CONNTRACK_EXP_UPDATE] = NFNL_SUBSYS_CTNETLINK_EXP, 48 [NFNLGRP_CONNTRACK_EXP_UPDATE] = NFNL_SUBSYS_CTNETLINK_EXP,
49 [NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP, 49 [NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP,
50 [NFNLGRP_NFTABLES] = NFNL_SUBSYS_NFTABLES,
51 [NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT,
50}; 52};
51 53
52void nfnl_lock(__u8 subsys_id) 54void nfnl_lock(__u8 subsys_id)
@@ -464,7 +466,12 @@ static void nfnetlink_rcv(struct sk_buff *skb)
464static int nfnetlink_bind(int group) 466static int nfnetlink_bind(int group)
465{ 467{
466 const struct nfnetlink_subsystem *ss; 468 const struct nfnetlink_subsystem *ss;
467 int type = nfnl_group2type[group]; 469 int type;
470
471 if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
472 return -EINVAL;
473
474 type = nfnl_group2type[group];
468 475
469 rcu_read_lock(); 476 rcu_read_lock();
470 ss = nfnetlink_get_subsys(type); 477 ss = nfnetlink_get_subsys(type);
@@ -514,6 +521,9 @@ static int __init nfnetlink_init(void)
514{ 521{
515 int i; 522 int i;
516 523
524 for (i = NFNLGRP_NONE + 1; i <= NFNLGRP_MAX; i++)
525 BUG_ON(nfnl_group2type[i] == NFNL_SUBSYS_NONE);
526
517 for (i=0; i<NFNL_SUBSYS_COUNT; i++) 527 for (i=0; i<NFNL_SUBSYS_COUNT; i++)
518 mutex_init(&table[i].mutex); 528 mutex_init(&table[i].mutex);
519 529
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-02 20:52:29 -0400