diff options
| author | David S. Miller <davem@davemloft.net> | 2014-05-09 13:17:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-05-09 13:17:30 -0400 |
| commit | b3d4056632297232412dda95c9b72b1199fa797d (patch) | |
| tree | 6310c062e2db2c48df06694cb1e0c561b42eaab6 | |
| parent | 6af55ff52b02d492d45db88df3e461fa51a6f753 (diff) | |
| parent | a8951d5814e1373807a94f79f7ccec7041325470 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following batch contains netfilter fixes for your net tree, they are:
1) Fix use after free in nfnetlink when sending a batch for some
unsupported subsystem, from Denys Fedoryshchenko.
2) Skip autoload of the nat module if no binding is specified via
ctnetlink, from Florian Westphal.
3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
fragmentation needed in the forwarding path, also from Florian.
4) Fix potential user after free in ip6_route_me_harder() when returning
the error code to the upper layers, from Sergey Popovich.
5) Skip possible bogus ICMP time exceeded emitted from the router (not
valid according to RFC) if conntrack zones are used, from Vasily Averin.
6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
is not present, also from Vasily.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/bridge/br_netfilter.c | 4 | ||||
| -rw-r--r-- | net/ipv4/ip_fragment.c | 5 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_defrag_ipv4.c | 5 | ||||
| -rw-r--r-- | net/ipv6/netfilter.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 3 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink.c | 8 |
6 files changed, 19 insertions, 12 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 80e1b0f60a30..2acf7fa1fec6 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
| @@ -859,12 +859,12 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops, | |||
| 859 | return NF_STOLEN; | 859 | return NF_STOLEN; |
| 860 | } | 860 | } |
| 861 | 861 | ||
| 862 | #if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4) | 862 | #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) |
| 863 | static int br_nf_dev_queue_xmit(struct sk_buff *skb) | 863 | static int br_nf_dev_queue_xmit(struct sk_buff *skb) |
| 864 | { | 864 | { |
| 865 | int ret; | 865 | int ret; |
| 866 | 866 | ||
| 867 | if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) && | 867 | if (skb->protocol == htons(ETH_P_IP) && |
| 868 | skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && | 868 | skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && |
| 869 | !skb_is_gso(skb)) { | 869 | !skb_is_gso(skb)) { |
| 870 | if (br_parse_ip_options(skb)) | 870 | if (br_parse_ip_options(skb)) |
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index c10a3ce5cbff..ed32313e307c 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c | |||
| @@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg) | |||
| 232 | * "Fragment Reassembly Timeout" message, per RFC792. | 232 | * "Fragment Reassembly Timeout" message, per RFC792. |
| 233 | */ | 233 | */ |
| 234 | if (qp->user == IP_DEFRAG_AF_PACKET || | 234 | if (qp->user == IP_DEFRAG_AF_PACKET || |
| 235 | (qp->user == IP_DEFRAG_CONNTRACK_IN && | 235 | ((qp->user >= IP_DEFRAG_CONNTRACK_IN) && |
| 236 | skb_rtable(head)->rt_type != RTN_LOCAL)) | 236 | (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) && |
| 237 | (skb_rtable(head)->rt_type != RTN_LOCAL))) | ||
| 237 | goto out_rcu_unlock; | 238 | goto out_rcu_unlock; |
| 238 | 239 | ||
| 239 | 240 | ||
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index 12e13bd82b5b..f40f321b41fc 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c | |||
| @@ -22,7 +22,6 @@ | |||
| 22 | #endif | 22 | #endif |
| 23 | #include <net/netfilter/nf_conntrack_zones.h> | 23 | #include <net/netfilter/nf_conntrack_zones.h> |
| 24 | 24 | ||
| 25 | /* Returns new sk_buff, or NULL */ | ||
| 26 | static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) | 25 | static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) |
| 27 | { | 26 | { |
| 28 | int err; | 27 | int err; |
| @@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) | |||
| 33 | err = ip_defrag(skb, user); | 32 | err = ip_defrag(skb, user); |
| 34 | local_bh_enable(); | 33 | local_bh_enable(); |
| 35 | 34 | ||
| 36 | if (!err) | 35 | if (!err) { |
| 37 | ip_send_check(ip_hdr(skb)); | 36 | ip_send_check(ip_hdr(skb)); |
| 37 | skb->local_df = 1; | ||
| 38 | } | ||
| 38 | 39 | ||
| 39 | return err; | 40 | return err; |
| 40 | } | 41 | } |
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 95f3f1da0d7f..d38e6a8d8b9f 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c | |||
| @@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb) | |||
| 30 | .daddr = iph->daddr, | 30 | .daddr = iph->daddr, |
| 31 | .saddr = iph->saddr, | 31 | .saddr = iph->saddr, |
| 32 | }; | 32 | }; |
| 33 | int err; | ||
| 33 | 34 | ||
| 34 | dst = ip6_route_output(net, skb->sk, &fl6); | 35 | dst = ip6_route_output(net, skb->sk, &fl6); |
| 35 | if (dst->error) { | 36 | err = dst->error; |
| 37 | if (err) { | ||
| 36 | IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); | 38 | IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); |
| 37 | LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); | 39 | LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); |
| 38 | dst_release(dst); | 40 | dst_release(dst); |
| 39 | return dst->error; | 41 | return err; |
| 40 | } | 42 | } |
| 41 | 43 | ||
| 42 | /* Drop old route. */ | 44 | /* Drop old route. */ |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index ccc46fa5edbc..58579634427d 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) | |||
| 1336 | #ifdef CONFIG_NF_NAT_NEEDED | 1336 | #ifdef CONFIG_NF_NAT_NEEDED |
| 1337 | int ret; | 1337 | int ret; |
| 1338 | 1338 | ||
| 1339 | if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) | ||
| 1340 | return 0; | ||
| 1341 | |||
| 1339 | ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, | 1342 | ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, |
| 1340 | cda[CTA_NAT_DST]); | 1343 | cda[CTA_NAT_DST]); |
| 1341 | if (ret < 0) | 1344 | if (ret < 0) |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index e009087620e3..23ef77c60fff 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
| @@ -256,15 +256,15 @@ replay: | |||
| 256 | #endif | 256 | #endif |
| 257 | { | 257 | { |
| 258 | nfnl_unlock(subsys_id); | 258 | nfnl_unlock(subsys_id); |
| 259 | kfree_skb(nskb); | 259 | netlink_ack(skb, nlh, -EOPNOTSUPP); |
| 260 | return netlink_ack(skb, nlh, -EOPNOTSUPP); | 260 | return kfree_skb(nskb); |
| 261 | } | 261 | } |
| 262 | } | 262 | } |
| 263 | 263 | ||
| 264 | if (!ss->commit || !ss->abort) { | 264 | if (!ss->commit || !ss->abort) { |
| 265 | nfnl_unlock(subsys_id); | 265 | nfnl_unlock(subsys_id); |
| 266 | kfree_skb(nskb); | 266 | netlink_ack(skb, nlh, -EOPNOTSUPP); |
| 267 | return netlink_ack(skb, nlh, -EOPNOTSUPP); | 267 | return kfree_skb(skb); |
| 268 | } | 268 | } |
| 269 | 269 | ||
| 270 | while (skb->len >= nlmsg_total_size(0)) { | 270 | while (skb->len >= nlmsg_total_size(0)) { |