diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-05 14:10:29 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-05 14:10:29 -0500 |
commit | 98bd0c07b60e029cf53eb76c027c27548dd66e9b (patch) | |
tree | 8542c44cc8d1f05a533fb82e04173549196f112d | |
parent | 5e375bc7d586e0df971734a5a5f1f080ffd89b68 (diff) | |
parent | 7918d212df31fb7ddfb317c5a8dccdcec647d754 (diff) |
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_connbytes.h | 4 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_policy.h | 22 | ||||
-rw-r--r-- | include/linux/netfilter_ipv6/ip6t_policy.h | 22 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_l3proto.h | 15 | ||||
-rw-r--r-- | net/bridge/netfilter/ebt_ulog.c | 10 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 7 | ||||
-rw-r--r-- | net/ipv4/icmp.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 7 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_netlink.c | 3 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_tftp.c | 1 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_nat_standalone.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 7 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 26 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_policy.c | 11 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 7 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_policy.c | 7 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_core.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 3 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 20 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 3 |
21 files changed, 124 insertions, 61 deletions
diff --git a/include/linux/netfilter_ipv4/ipt_connbytes.h b/include/linux/netfilter_ipv4/ipt_connbytes.h index b04dfa3083c9..f63e6ee91113 100644 --- a/include/linux/netfilter_ipv4/ipt_connbytes.h +++ b/include/linux/netfilter_ipv4/ipt_connbytes.h | |||
@@ -1,10 +1,10 @@ | |||
1 | #ifndef _IPT_CONNBYTES_H | 1 | #ifndef _IPT_CONNBYTES_H |
2 | #define _IPT_CONNBYTES_H | 2 | #define _IPT_CONNBYTES_H |
3 | 3 | ||
4 | #include <net/netfilter/xt_connbytes.h> | 4 | #include <linux/netfilter/xt_connbytes.h> |
5 | #define ipt_connbytes_what xt_connbytes_what | 5 | #define ipt_connbytes_what xt_connbytes_what |
6 | 6 | ||
7 | #define IPT_CONNBYTES_PKTS XT_CONNBYTES_PACKETS | 7 | #define IPT_CONNBYTES_PKTS XT_CONNBYTES_PKTS |
8 | #define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES | 8 | #define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES |
9 | #define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT | 9 | #define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT |
10 | 10 | ||
diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h index 7fd1bec453f1..a3f6eff39d33 100644 --- a/include/linux/netfilter_ipv4/ipt_policy.h +++ b/include/linux/netfilter_ipv4/ipt_policy.h | |||
@@ -27,16 +27,22 @@ struct ipt_policy_spec | |||
27 | reqid:1; | 27 | reqid:1; |
28 | }; | 28 | }; |
29 | 29 | ||
30 | union ipt_policy_addr | ||
31 | { | ||
32 | struct in_addr a4; | ||
33 | struct in6_addr a6; | ||
34 | }; | ||
35 | |||
30 | struct ipt_policy_elem | 36 | struct ipt_policy_elem |
31 | { | 37 | { |
32 | u_int32_t saddr; | 38 | union ipt_policy_addr saddr; |
33 | u_int32_t smask; | 39 | union ipt_policy_addr smask; |
34 | u_int32_t daddr; | 40 | union ipt_policy_addr daddr; |
35 | u_int32_t dmask; | 41 | union ipt_policy_addr dmask; |
36 | u_int32_t spi; | 42 | u_int32_t spi; |
37 | u_int32_t reqid; | 43 | u_int32_t reqid; |
38 | u_int8_t proto; | 44 | u_int8_t proto; |
39 | u_int8_t mode; | 45 | u_int8_t mode; |
40 | 46 | ||
41 | struct ipt_policy_spec match; | 47 | struct ipt_policy_spec match; |
42 | struct ipt_policy_spec invert; | 48 | struct ipt_policy_spec invert; |
diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h index 5a93afcd2ff1..671bd818300f 100644 --- a/include/linux/netfilter_ipv6/ip6t_policy.h +++ b/include/linux/netfilter_ipv6/ip6t_policy.h | |||
@@ -27,16 +27,22 @@ struct ip6t_policy_spec | |||
27 | reqid:1; | 27 | reqid:1; |
28 | }; | 28 | }; |
29 | 29 | ||
30 | union ip6t_policy_addr | ||
31 | { | ||
32 | struct in_addr a4; | ||
33 | struct in6_addr a6; | ||
34 | }; | ||
35 | |||
30 | struct ip6t_policy_elem | 36 | struct ip6t_policy_elem |
31 | { | 37 | { |
32 | struct in6_addr saddr; | 38 | union ip6t_policy_addr saddr; |
33 | struct in6_addr smask; | 39 | union ip6t_policy_addr smask; |
34 | struct in6_addr daddr; | 40 | union ip6t_policy_addr daddr; |
35 | struct in6_addr dmask; | 41 | union ip6t_policy_addr dmask; |
36 | u_int32_t spi; | 42 | u_int32_t spi; |
37 | u_int32_t reqid; | 43 | u_int32_t reqid; |
38 | u_int8_t proto; | 44 | u_int8_t proto; |
39 | u_int8_t mode; | 45 | u_int8_t mode; |
40 | 46 | ||
41 | struct ip6t_policy_spec match; | 47 | struct ip6t_policy_spec match; |
42 | struct ip6t_policy_spec invert; | 48 | struct ip6t_policy_spec invert; |
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index 67856eb93b43..dac43b15a5b0 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h | |||
@@ -88,12 +88,6 @@ extern struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX]; | |||
88 | extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto); | 88 | extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto); |
89 | extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); | 89 | extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); |
90 | 90 | ||
91 | static inline struct nf_conntrack_l3proto * | ||
92 | __nf_ct_l3proto_find(u_int16_t l3proto) | ||
93 | { | ||
94 | return nf_ct_l3protos[l3proto]; | ||
95 | } | ||
96 | |||
97 | extern struct nf_conntrack_l3proto * | 91 | extern struct nf_conntrack_l3proto * |
98 | nf_ct_l3proto_find_get(u_int16_t l3proto); | 92 | nf_ct_l3proto_find_get(u_int16_t l3proto); |
99 | 93 | ||
@@ -103,4 +97,13 @@ extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p); | |||
103 | extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; | 97 | extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; |
104 | extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6; | 98 | extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6; |
105 | extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto; | 99 | extern struct nf_conntrack_l3proto nf_conntrack_generic_l3proto; |
100 | |||
101 | static inline struct nf_conntrack_l3proto * | ||
102 | __nf_ct_l3proto_find(u_int16_t l3proto) | ||
103 | { | ||
104 | if (unlikely(l3proto >= AF_MAX)) | ||
105 | return &nf_conntrack_generic_l3proto; | ||
106 | return nf_ct_l3protos[l3proto]; | ||
107 | } | ||
108 | |||
106 | #endif /*_NF_CONNTRACK_L3PROTO_H*/ | 109 | #endif /*_NF_CONNTRACK_L3PROTO_H*/ |
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index ce617b3dbbb8..802baf755ef4 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
@@ -46,7 +46,7 @@ | |||
46 | #define PRINTR(format, args...) do { if (net_ratelimit()) \ | 46 | #define PRINTR(format, args...) do { if (net_ratelimit()) \ |
47 | printk(format , ## args); } while (0) | 47 | printk(format , ## args); } while (0) |
48 | 48 | ||
49 | static unsigned int nlbufsiz = 4096; | 49 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; |
50 | module_param(nlbufsiz, uint, 0600); | 50 | module_param(nlbufsiz, uint, 0600); |
51 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " | 51 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " |
52 | "(defaults to 4096)"); | 52 | "(defaults to 4096)"); |
@@ -98,12 +98,14 @@ static void ulog_timer(unsigned long data) | |||
98 | static struct sk_buff *ulog_alloc_skb(unsigned int size) | 98 | static struct sk_buff *ulog_alloc_skb(unsigned int size) |
99 | { | 99 | { |
100 | struct sk_buff *skb; | 100 | struct sk_buff *skb; |
101 | unsigned int n; | ||
101 | 102 | ||
102 | skb = alloc_skb(nlbufsiz, GFP_ATOMIC); | 103 | n = max(size, nlbufsiz); |
104 | skb = alloc_skb(n, GFP_ATOMIC); | ||
103 | if (!skb) { | 105 | if (!skb) { |
104 | PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " | 106 | PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " |
105 | "of size %ub!\n", nlbufsiz); | 107 | "of size %ub!\n", n); |
106 | if (size < nlbufsiz) { | 108 | if (n > size) { |
107 | /* try to allocate only as much as we need for | 109 | /* try to allocate only as much as we need for |
108 | * current packet */ | 110 | * current packet */ |
109 | skb = alloc_skb(size, GFP_ATOMIC); | 111 | skb = alloc_skb(size, GFP_ATOMIC); |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 00729b3604f8..cbd4020cc84d 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len) | |||
934 | BUGPRINT("Entries_size never zero\n"); | 934 | BUGPRINT("Entries_size never zero\n"); |
935 | return -EINVAL; | 935 | return -EINVAL; |
936 | } | 936 | } |
937 | /* overflow check */ | ||
938 | if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS - | ||
939 | SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) | ||
940 | return -ENOMEM; | ||
941 | if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) | ||
942 | return -ENOMEM; | ||
943 | |||
937 | countersize = COUNTER_OFFSET(tmp.nentries) * | 944 | countersize = COUNTER_OFFSET(tmp.nentries) * |
938 | (highest_possible_processor_id()+1); | 945 | (highest_possible_processor_id()+1); |
939 | newinfo = (struct ebt_table_info *) | 946 | newinfo = (struct ebt_table_info *) |
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 6bc0887b0834..4d1c40972a4b 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c | |||
@@ -524,7 +524,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, u32 info) | |||
524 | iph->tos; | 524 | iph->tos; |
525 | 525 | ||
526 | if (ip_options_echo(&icmp_param.replyopts, skb_in)) | 526 | if (ip_options_echo(&icmp_param.replyopts, skb_in)) |
527 | goto ende; | 527 | goto out_unlock; |
528 | 528 | ||
529 | 529 | ||
530 | /* | 530 | /* |
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index afe3d8f8177d..dd1048be8a01 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -807,6 +807,13 @@ static int do_replace(void __user *user, unsigned int len) | |||
807 | if (len != sizeof(tmp) + tmp.size) | 807 | if (len != sizeof(tmp) + tmp.size) |
808 | return -ENOPROTOOPT; | 808 | return -ENOPROTOOPT; |
809 | 809 | ||
810 | /* overflow check */ | ||
811 | if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - | ||
812 | SMP_CACHE_BYTES) | ||
813 | return -ENOMEM; | ||
814 | if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) | ||
815 | return -ENOMEM; | ||
816 | |||
810 | newinfo = xt_alloc_table_info(tmp.size); | 817 | newinfo = xt_alloc_table_info(tmp.size); |
811 | if (!newinfo) | 818 | if (!newinfo) |
812 | return -ENOMEM; | 819 | return -ENOMEM; |
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c index c9ebbe0d2d9c..e0b5926c76f9 100644 --- a/net/ipv4/netfilter/ip_conntrack_netlink.c +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c | |||
@@ -1216,7 +1216,7 @@ static int ctnetlink_expect_event(struct notifier_block *this, | |||
1216 | 1216 | ||
1217 | b = skb->tail; | 1217 | b = skb->tail; |
1218 | 1218 | ||
1219 | type |= NFNL_SUBSYS_CTNETLINK << 8; | 1219 | type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; |
1220 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); | 1220 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); |
1221 | nfmsg = NLMSG_DATA(nlh); | 1221 | nfmsg = NLMSG_DATA(nlh); |
1222 | 1222 | ||
@@ -1567,6 +1567,7 @@ static struct nfnetlink_subsystem ctnl_exp_subsys = { | |||
1567 | }; | 1567 | }; |
1568 | 1568 | ||
1569 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); | 1569 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); |
1570 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); | ||
1570 | 1571 | ||
1571 | static int __init ctnetlink_init(void) | 1572 | static int __init ctnetlink_init(void) |
1572 | { | 1573 | { |
diff --git a/net/ipv4/netfilter/ip_conntrack_tftp.c b/net/ipv4/netfilter/ip_conntrack_tftp.c index d3c5a371f993..4ba4463cec28 100644 --- a/net/ipv4/netfilter/ip_conntrack_tftp.c +++ b/net/ipv4/netfilter/ip_conntrack_tftp.c | |||
@@ -71,6 +71,7 @@ static int tftp_help(struct sk_buff **pskb, | |||
71 | 71 | ||
72 | exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; | 72 | exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; |
73 | exp->mask.src.ip = 0xffffffff; | 73 | exp->mask.src.ip = 0xffffffff; |
74 | exp->mask.src.u.udp.port = 0; | ||
74 | exp->mask.dst.ip = 0xffffffff; | 75 | exp->mask.dst.ip = 0xffffffff; |
75 | exp->mask.dst.u.udp.port = 0xffff; | 76 | exp->mask.dst.u.udp.port = 0xffff; |
76 | exp->mask.dst.protonum = 0xff; | 77 | exp->mask.dst.protonum = 0xff; |
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c index ad438fb185b8..92c54999a19d 100644 --- a/net/ipv4/netfilter/ip_nat_standalone.c +++ b/net/ipv4/netfilter/ip_nat_standalone.c | |||
@@ -209,8 +209,8 @@ ip_nat_in(unsigned int hooknum, | |||
209 | && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) { | 209 | && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) { |
210 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 210 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
211 | 211 | ||
212 | if (ct->tuplehash[dir].tuple.src.ip != | 212 | if (ct->tuplehash[dir].tuple.dst.ip != |
213 | ct->tuplehash[!dir].tuple.dst.ip) { | 213 | ct->tuplehash[!dir].tuple.src.ip) { |
214 | dst_release((*pskb)->dst); | 214 | dst_release((*pskb)->dst); |
215 | (*pskb)->dst = NULL; | 215 | (*pskb)->dst = NULL; |
216 | } | 216 | } |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2371b2062c2d..16f47c675fef 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -921,6 +921,13 @@ do_replace(void __user *user, unsigned int len) | |||
921 | if (len != sizeof(tmp) + tmp.size) | 921 | if (len != sizeof(tmp) + tmp.size) |
922 | return -ENOPROTOOPT; | 922 | return -ENOPROTOOPT; |
923 | 923 | ||
924 | /* overflow check */ | ||
925 | if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - | ||
926 | SMP_CACHE_BYTES) | ||
927 | return -ENOMEM; | ||
928 | if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) | ||
929 | return -ENOMEM; | ||
930 | |||
924 | newinfo = xt_alloc_table_info(tmp.size); | 931 | newinfo = xt_alloc_table_info(tmp.size); |
925 | if (!newinfo) | 932 | if (!newinfo) |
926 | return -ENOMEM; | 933 | return -ENOMEM; |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 641dbc477650..180a9ea57b69 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -35,6 +35,10 @@ | |||
35 | * each nlgroup you are using, so the total kernel memory usage increases | 35 | * each nlgroup you are using, so the total kernel memory usage increases |
36 | * by that factor. | 36 | * by that factor. |
37 | * | 37 | * |
38 | * Actually you should use nlbufsiz a bit smaller than PAGE_SIZE, since | ||
39 | * nlbufsiz is used with alloc_skb, which adds another | ||
40 | * sizeof(struct skb_shared_info). Use NLMSG_GOODSIZE instead. | ||
41 | * | ||
38 | * flushtimeout: | 42 | * flushtimeout: |
39 | * Specify, after how many hundredths of a second the queue should be | 43 | * Specify, after how many hundredths of a second the queue should be |
40 | * flushed even if it is not full yet. | 44 | * flushed even if it is not full yet. |
@@ -76,7 +80,7 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG); | |||
76 | 80 | ||
77 | #define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0) | 81 | #define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0) |
78 | 82 | ||
79 | static unsigned int nlbufsiz = 4096; | 83 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; |
80 | module_param(nlbufsiz, uint, 0400); | 84 | module_param(nlbufsiz, uint, 0400); |
81 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); | 85 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); |
82 | 86 | ||
@@ -143,22 +147,26 @@ static void ulog_timer(unsigned long data) | |||
143 | static struct sk_buff *ulog_alloc_skb(unsigned int size) | 147 | static struct sk_buff *ulog_alloc_skb(unsigned int size) |
144 | { | 148 | { |
145 | struct sk_buff *skb; | 149 | struct sk_buff *skb; |
150 | unsigned int n; | ||
146 | 151 | ||
147 | /* alloc skb which should be big enough for a whole | 152 | /* alloc skb which should be big enough for a whole |
148 | * multipart message. WARNING: has to be <= 131000 | 153 | * multipart message. WARNING: has to be <= 131000 |
149 | * due to slab allocator restrictions */ | 154 | * due to slab allocator restrictions */ |
150 | 155 | ||
151 | skb = alloc_skb(nlbufsiz, GFP_ATOMIC); | 156 | n = max(size, nlbufsiz); |
157 | skb = alloc_skb(n, GFP_ATOMIC); | ||
152 | if (!skb) { | 158 | if (!skb) { |
153 | PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", | 159 | PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n); |
154 | nlbufsiz); | ||
155 | 160 | ||
156 | /* try to allocate only as much as we need for | 161 | if (n > size) { |
157 | * current packet */ | 162 | /* try to allocate only as much as we need for |
163 | * current packet */ | ||
158 | 164 | ||
159 | skb = alloc_skb(size, GFP_ATOMIC); | 165 | skb = alloc_skb(size, GFP_ATOMIC); |
160 | if (!skb) | 166 | if (!skb) |
161 | PRINTR("ipt_ULOG: can't even allocate %ub\n", size); | 167 | PRINTR("ipt_ULOG: can't even allocate %ub\n", |
168 | size); | ||
169 | } | ||
162 | } | 170 | } |
163 | 171 | ||
164 | return skb; | 172 | return skb; |
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c index 18ca8258a1c5..5a7a265280f9 100644 --- a/net/ipv4/netfilter/ipt_policy.c +++ b/net/ipv4/netfilter/ipt_policy.c | |||
@@ -26,10 +26,13 @@ MODULE_LICENSE("GPL"); | |||
26 | static inline int | 26 | static inline int |
27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) | 27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) |
28 | { | 28 | { |
29 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | 29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ |
30 | ((e->x.a4.s_addr == (e->y.a4.s_addr & (z))) \ | ||
31 | ^ e->invert.x)) | ||
32 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | ||
30 | 33 | ||
31 | return MATCH(saddr, x->props.saddr.a4 & e->smask) && | 34 | return MATCH_ADDR(saddr, smask, x->props.saddr.a4) && |
32 | MATCH(daddr, x->id.daddr.a4 & e->dmask) && | 35 | MATCH_ADDR(daddr, dmask, x->id.daddr.a4) && |
33 | MATCH(proto, x->id.proto) && | 36 | MATCH(proto, x->id.proto) && |
34 | MATCH(mode, x->props.mode) && | 37 | MATCH(mode, x->props.mode) && |
35 | MATCH(spi, x->id.spi) && | 38 | MATCH(spi, x->id.spi) && |
@@ -89,7 +92,7 @@ match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info) | |||
89 | return 0; | 92 | return 0; |
90 | } | 93 | } |
91 | 94 | ||
92 | return strict ? 1 : 0; | 95 | return strict ? i == info->len : 0; |
93 | } | 96 | } |
94 | 97 | ||
95 | static int match(const struct sk_buff *skb, | 98 | static int match(const struct sk_buff *skb, |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 847068fd3367..74ff56c322f4 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len) | |||
978 | if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) | 978 | if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) |
979 | return -EFAULT; | 979 | return -EFAULT; |
980 | 980 | ||
981 | /* overflow check */ | ||
982 | if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - | ||
983 | SMP_CACHE_BYTES) | ||
984 | return -ENOMEM; | ||
985 | if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) | ||
986 | return -ENOMEM; | ||
987 | |||
981 | newinfo = xt_alloc_table_info(tmp.size); | 988 | newinfo = xt_alloc_table_info(tmp.size); |
982 | if (!newinfo) | 989 | if (!newinfo) |
983 | return -ENOMEM; | 990 | return -ENOMEM; |
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c index afe1cc4c18a5..3d39ec924041 100644 --- a/net/ipv6/netfilter/ip6t_policy.c +++ b/net/ipv6/netfilter/ip6t_policy.c | |||
@@ -26,8 +26,9 @@ MODULE_LICENSE("GPL"); | |||
26 | static inline int | 26 | static inline int |
27 | match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) | 27 | match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) |
28 | { | 28 | { |
29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ | 29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ |
30 | ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x) | 30 | ((!ip6_masked_addrcmp(&e->x.a6, &e->y.a6, z)) \ |
31 | ^ e->invert.x)) | ||
31 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | 32 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) |
32 | 33 | ||
33 | return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) && | 34 | return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) && |
@@ -91,7 +92,7 @@ match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info) | |||
91 | return 0; | 92 | return 0; |
92 | } | 93 | } |
93 | 94 | ||
94 | return strict ? 1 : 0; | 95 | return strict ? i == info->len : 0; |
95 | } | 96 | } |
96 | 97 | ||
97 | static int match(const struct sk_buff *skb, | 98 | static int match(const struct sk_buff *skb, |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 62bb509f05d4..0ce337a1d974 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -188,7 +188,7 @@ extern struct nf_conntrack_protocol nf_conntrack_generic_protocol; | |||
188 | struct nf_conntrack_protocol * | 188 | struct nf_conntrack_protocol * |
189 | __nf_ct_proto_find(u_int16_t l3proto, u_int8_t protocol) | 189 | __nf_ct_proto_find(u_int16_t l3proto, u_int8_t protocol) |
190 | { | 190 | { |
191 | if (unlikely(nf_ct_protos[l3proto] == NULL)) | 191 | if (unlikely(l3proto >= AF_MAX || nf_ct_protos[l3proto] == NULL)) |
192 | return &nf_conntrack_generic_protocol; | 192 | return &nf_conntrack_generic_protocol; |
193 | 193 | ||
194 | return nf_ct_protos[l3proto][protocol]; | 194 | return nf_ct_protos[l3proto][protocol]; |
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index ab0c920f0d30..6f210f399762 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c | |||
@@ -657,8 +657,6 @@ static int __init init(void) | |||
657 | /* FIXME should be configurable whether IPv4 and IPv6 FTP connections | 657 | /* FIXME should be configurable whether IPv4 and IPv6 FTP connections |
658 | are tracked or not - YK */ | 658 | are tracked or not - YK */ |
659 | for (i = 0; i < ports_c; i++) { | 659 | for (i = 0; i < ports_c; i++) { |
660 | memset(&ftp[i], 0, sizeof(struct nf_conntrack_helper)); | ||
661 | |||
662 | ftp[i][0].tuple.src.l3num = PF_INET; | 660 | ftp[i][0].tuple.src.l3num = PF_INET; |
663 | ftp[i][1].tuple.src.l3num = PF_INET6; | 661 | ftp[i][1].tuple.src.l3num = PF_INET6; |
664 | for (j = 0; j < 2; j++) { | 662 | for (j = 0; j < 2; j++) { |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 73ab16bc7d40..9ff3463037e1 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -1232,7 +1232,7 @@ static int ctnetlink_expect_event(struct notifier_block *this, | |||
1232 | 1232 | ||
1233 | b = skb->tail; | 1233 | b = skb->tail; |
1234 | 1234 | ||
1235 | type |= NFNL_SUBSYS_CTNETLINK << 8; | 1235 | type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; |
1236 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); | 1236 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); |
1237 | nfmsg = NLMSG_DATA(nlh); | 1237 | nfmsg = NLMSG_DATA(nlh); |
1238 | 1238 | ||
@@ -1589,6 +1589,7 @@ static struct nfnetlink_subsystem ctnl_exp_subsys = { | |||
1589 | }; | 1589 | }; |
1590 | 1590 | ||
1591 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); | 1591 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); |
1592 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); | ||
1592 | 1593 | ||
1593 | static int __init ctnetlink_init(void) | 1594 | static int __init ctnetlink_init(void) |
1594 | { | 1595 | { |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index e10512e229b6..3b3c781b40c0 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -37,7 +37,7 @@ | |||
37 | #include "../bridge/br_private.h" | 37 | #include "../bridge/br_private.h" |
38 | #endif | 38 | #endif |
39 | 39 | ||
40 | #define NFULNL_NLBUFSIZ_DEFAULT 4096 | 40 | #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE |
41 | #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ | 41 | #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ |
42 | #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ | 42 | #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ |
43 | 43 | ||
@@ -314,24 +314,28 @@ static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, | |||
314 | unsigned int pkt_size) | 314 | unsigned int pkt_size) |
315 | { | 315 | { |
316 | struct sk_buff *skb; | 316 | struct sk_buff *skb; |
317 | unsigned int n; | ||
317 | 318 | ||
318 | UDEBUG("entered (%u, %u)\n", inst_size, pkt_size); | 319 | UDEBUG("entered (%u, %u)\n", inst_size, pkt_size); |
319 | 320 | ||
320 | /* alloc skb which should be big enough for a whole multipart | 321 | /* alloc skb which should be big enough for a whole multipart |
321 | * message. WARNING: has to be <= 128k due to slab restrictions */ | 322 | * message. WARNING: has to be <= 128k due to slab restrictions */ |
322 | 323 | ||
323 | skb = alloc_skb(inst_size, GFP_ATOMIC); | 324 | n = max(inst_size, pkt_size); |
325 | skb = alloc_skb(n, GFP_ATOMIC); | ||
324 | if (!skb) { | 326 | if (!skb) { |
325 | PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n", | 327 | PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n", |
326 | inst_size); | 328 | inst_size); |
327 | 329 | ||
328 | /* try to allocate only as much as we need for current | 330 | if (n > pkt_size) { |
329 | * packet */ | 331 | /* try to allocate only as much as we need for current |
332 | * packet */ | ||
330 | 333 | ||
331 | skb = alloc_skb(pkt_size, GFP_ATOMIC); | 334 | skb = alloc_skb(pkt_size, GFP_ATOMIC); |
332 | if (!skb) | 335 | if (!skb) |
333 | PRINTR("nfnetlink_log: can't even alloc %u bytes\n", | 336 | PRINTR("nfnetlink_log: can't even alloc %u " |
334 | pkt_size); | 337 | "bytes\n", pkt_size); |
338 | } | ||
335 | } | 339 | } |
336 | 340 | ||
337 | return skb; | 341 | return skb; |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 18ed9c5d209c..cac38b2e147a 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -825,7 +825,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, | |||
825 | } | 825 | } |
826 | 826 | ||
827 | if (nfqa[NFQA_MARK-1]) | 827 | if (nfqa[NFQA_MARK-1]) |
828 | skb->nfmark = ntohl(*(u_int32_t *)NFA_DATA(nfqa[NFQA_MARK-1])); | 828 | entry->skb->nfmark = ntohl(*(u_int32_t *) |
829 | NFA_DATA(nfqa[NFQA_MARK-1])); | ||
829 | 830 | ||
830 | issue_verdict(entry, verdict); | 831 | issue_verdict(entry, verdict); |
831 | instance_put(queue); | 832 | instance_put(queue); |