diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2014-10-04 10:18:02 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-24 08:24:03 -0400 |
| commit | 7677e86843e2136a9b05549a9ca47d4f744565b6 (patch) | |
| tree | e7b3937d6d81c2af30ad2d3c56724a0c30aa8b40 /net/bridge | |
| parent | c123bb7163043bb8f33858cf8e45b01c17dbd171 (diff) | |
bridge: Do not compile options in br_parse_ip_options
Commit 462fb2af9788a82a534f8184abfde31574e1cfa0
bridge : Sanitize skb before it enters the IP stack
broke when IP options are actually used because it mangles the
skb as if it entered the IP stack which is wrong because the
bridge is supposed to operate below the IP stack.
Since nobody has actually requested for parsing of IP options
this patch fixes it by simply reverting to the previous approach
of ignoring all IP options, i.e., zeroing the IPCB.
If and when somebody who uses IP options and actually needs them
to be parsed by the bridge complains then we can revisit this.
Reported-by: David Newall <davidn@davidnewall.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge')
| -rw-r--r-- | net/bridge/br_netfilter.c | 24 |
1 files changed, 5 insertions, 19 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 1bada53bb195..1a4f32c09ad5 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
| @@ -192,7 +192,6 @@ static inline void nf_bridge_save_header(struct sk_buff *skb) | |||
| 192 | 192 | ||
| 193 | static int br_parse_ip_options(struct sk_buff *skb) | 193 | static int br_parse_ip_options(struct sk_buff *skb) |
| 194 | { | 194 | { |
| 195 | struct ip_options *opt; | ||
| 196 | const struct iphdr *iph; | 195 | const struct iphdr *iph; |
| 197 | struct net_device *dev = skb->dev; | 196 | struct net_device *dev = skb->dev; |
| 198 | u32 len; | 197 | u32 len; |
| @@ -201,7 +200,6 @@ static int br_parse_ip_options(struct sk_buff *skb) | |||
| 201 | goto inhdr_error; | 200 | goto inhdr_error; |
| 202 | 201 | ||
| 203 | iph = ip_hdr(skb); | 202 | iph = ip_hdr(skb); |
| 204 | opt = &(IPCB(skb)->opt); | ||
| 205 | 203 | ||
| 206 | /* Basic sanity checks */ | 204 | /* Basic sanity checks */ |
| 207 | if (iph->ihl < 5 || iph->version != 4) | 205 | if (iph->ihl < 5 || iph->version != 4) |
| @@ -227,23 +225,11 @@ static int br_parse_ip_options(struct sk_buff *skb) | |||
| 227 | } | 225 | } |
| 228 | 226 | ||
| 229 | memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); | 227 | memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); |
| 230 | if (iph->ihl == 5) | 228 | /* We should really parse IP options here but until |
| 231 | return 0; | 229 | * somebody who actually uses IP options complains to |
| 232 | 230 | * us we'll just silently ignore the options because | |
| 233 | opt->optlen = iph->ihl*4 - sizeof(struct iphdr); | 231 | * we're lazy! |
| 234 | if (ip_options_compile(dev_net(dev), opt, skb)) | 232 | */ |
| 235 | goto inhdr_error; | ||
| 236 | |||
| 237 | /* Check correct handling of SRR option */ | ||
| 238 | if (unlikely(opt->srr)) { | ||
| 239 | struct in_device *in_dev = __in_dev_get_rcu(dev); | ||
| 240 | if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev)) | ||
| 241 | goto drop; | ||
| 242 | |||
| 243 | if (ip_options_rcv_srr(skb)) | ||
| 244 | goto drop; | ||
| 245 | } | ||
| 246 | |||
| 247 | return 0; | 233 | return 0; |
| 248 | 234 | ||
| 249 | inhdr_error: | 235 | inhdr_error: |