diff options
| author | David S. Miller <davem@davemloft.net> | 2014-01-08 15:04:56 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-01-08 15:04:56 -0500 |
| commit | 54b553e2c16001d13e0186cad2531764065f9a1b (patch) | |
| tree | a43c673e5e5aeaa87ba86f334b069453e9374569 /net/netfilter | |
| parent | 80077935cad223b292d4a03e901a953b20a36593 (diff) | |
| parent | b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains three Netfilter updates, they are:
* Fix wrong usage of skb_header_pointer in the DCCP protocol helper that
has been there for quite some time. It was resulting in copying the dccp
header to a pointer allocated in the stack. Fortunately, this pointer
provides room for the dccp header is 4 bytes long, so no crashes have been
reported so far. From Daniel Borkmann.
* Use format string to print in the invocation of nf_log_packet(), again
in the DCCP helper. Also from Daniel Borkmann.
* Revert "netfilter: avoid get_random_bytes call" as prandom32 does not
guarantee enough entropy when being calling this at boot time, that may
happen when reloading the rule.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_dccp.c | 10 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_log.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nft_hash.c | 2 | ||||
| -rw-r--r-- | net/netfilter/xt_RATEEST.c | 2 | ||||
| -rw-r--r-- | net/netfilter/xt_connlimit.c | 2 | ||||
| -rw-r--r-- | net/netfilter/xt_hashlimit.c | 2 | ||||
| -rw-r--r-- | net/netfilter/xt_recent.c | 2 |
7 files changed, 18 insertions, 10 deletions
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index a99b6c3427b0..cb372f96f10d 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c | |||
| @@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 428 | const char *msg; | 428 | const char *msg; |
| 429 | u_int8_t state; | 429 | u_int8_t state; |
| 430 | 430 | ||
| 431 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); | 431 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); |
| 432 | BUG_ON(dh == NULL); | 432 | BUG_ON(dh == NULL); |
| 433 | 433 | ||
| 434 | state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; | 434 | state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; |
| @@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 457 | out_invalid: | 457 | out_invalid: |
| 458 | if (LOG_INVALID(net, IPPROTO_DCCP)) | 458 | if (LOG_INVALID(net, IPPROTO_DCCP)) |
| 459 | nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL, | 459 | nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL, |
| 460 | NULL, msg); | 460 | NULL, "%s", msg); |
| 461 | return false; | 461 | return false; |
| 462 | } | 462 | } |
| 463 | 463 | ||
| @@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 486 | u_int8_t type, old_state, new_state; | 486 | u_int8_t type, old_state, new_state; |
| 487 | enum ct_dccp_roles role; | 487 | enum ct_dccp_roles role; |
| 488 | 488 | ||
| 489 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); | 489 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); |
| 490 | BUG_ON(dh == NULL); | 490 | BUG_ON(dh == NULL); |
| 491 | type = dh->dccph_type; | 491 | type = dh->dccph_type; |
| 492 | 492 | ||
| @@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, | |||
| 577 | unsigned int cscov; | 577 | unsigned int cscov; |
| 578 | const char *msg; | 578 | const char *msg; |
| 579 | 579 | ||
| 580 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); | 580 | dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); |
| 581 | if (dh == NULL) { | 581 | if (dh == NULL) { |
| 582 | msg = "nf_ct_dccp: short packet "; | 582 | msg = "nf_ct_dccp: short packet "; |
| 583 | goto out_invalid; | 583 | goto out_invalid; |
| @@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, | |||
| 614 | 614 | ||
| 615 | out_invalid: | 615 | out_invalid: |
| 616 | if (LOG_INVALID(net, IPPROTO_DCCP)) | 616 | if (LOG_INVALID(net, IPPROTO_DCCP)) |
| 617 | nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg); | 617 | nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", msg); |
| 618 | return -NF_ACCEPT; | 618 | return -NF_ACCEPT; |
| 619 | } | 619 | } |
| 620 | 620 | ||
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index d292c8d286eb..a155d19a225e 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
| @@ -28,6 +28,8 @@ | |||
| 28 | #include <linux/proc_fs.h> | 28 | #include <linux/proc_fs.h> |
| 29 | #include <linux/security.h> | 29 | #include <linux/security.h> |
| 30 | #include <linux/list.h> | 30 | #include <linux/list.h> |
| 31 | #include <linux/jhash.h> | ||
| 32 | #include <linux/random.h> | ||
| 31 | #include <linux/slab.h> | 33 | #include <linux/slab.h> |
| 32 | #include <net/sock.h> | 34 | #include <net/sock.h> |
| 33 | #include <net/netfilter/nf_log.h> | 35 | #include <net/netfilter/nf_log.h> |
| @@ -73,6 +75,7 @@ struct nfulnl_instance { | |||
| 73 | }; | 75 | }; |
| 74 | 76 | ||
| 75 | #define INSTANCE_BUCKETS 16 | 77 | #define INSTANCE_BUCKETS 16 |
| 78 | static unsigned int hash_init; | ||
| 76 | 79 | ||
| 77 | static int nfnl_log_net_id __read_mostly; | 80 | static int nfnl_log_net_id __read_mostly; |
| 78 | 81 | ||
| @@ -1064,6 +1067,11 @@ static int __init nfnetlink_log_init(void) | |||
| 1064 | { | 1067 | { |
| 1065 | int status = -ENOMEM; | 1068 | int status = -ENOMEM; |
| 1066 | 1069 | ||
| 1070 | /* it's not really all that important to have a random value, so | ||
| 1071 | * we can do this from the init function, even if there hasn't | ||
| 1072 | * been that much entropy yet */ | ||
| 1073 | get_random_bytes(&hash_init, sizeof(hash_init)); | ||
| 1074 | |||
| 1067 | netlink_register_notifier(&nfulnl_rtnl_notifier); | 1075 | netlink_register_notifier(&nfulnl_rtnl_notifier); |
| 1068 | status = nfnetlink_subsys_register(&nfulnl_subsys); | 1076 | status = nfnetlink_subsys_register(&nfulnl_subsys); |
| 1069 | if (status < 0) { | 1077 | if (status < 0) { |
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index 6aae699aeb46..3d3f8fce10a5 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c | |||
| @@ -164,7 +164,7 @@ static int nft_hash_init(const struct nft_set *set, | |||
| 164 | unsigned int cnt, i; | 164 | unsigned int cnt, i; |
| 165 | 165 | ||
| 166 | if (unlikely(!nft_hash_rnd_initted)) { | 166 | if (unlikely(!nft_hash_rnd_initted)) { |
| 167 | nft_hash_rnd = prandom_u32(); | 167 | get_random_bytes(&nft_hash_rnd, 4); |
| 168 | nft_hash_rnd_initted = true; | 168 | nft_hash_rnd_initted = true; |
| 169 | } | 169 | } |
| 170 | 170 | ||
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 190854be7629..370adf622cef 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c | |||
| @@ -100,7 +100,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
| 100 | int ret; | 100 | int ret; |
| 101 | 101 | ||
| 102 | if (unlikely(!rnd_inited)) { | 102 | if (unlikely(!rnd_inited)) { |
| 103 | jhash_rnd = prandom_u32(); | 103 | get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); |
| 104 | rnd_inited = true; | 104 | rnd_inited = true; |
| 105 | } | 105 | } |
| 106 | 106 | ||
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 7671e8214919..c40b2695633b 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
| @@ -229,7 +229,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) | |||
| 229 | u_int32_t rand; | 229 | u_int32_t rand; |
| 230 | 230 | ||
| 231 | do { | 231 | do { |
| 232 | rand = prandom_u32(); | 232 | get_random_bytes(&rand, sizeof(rand)); |
| 233 | } while (!rand); | 233 | } while (!rand); |
| 234 | cmpxchg(&connlimit_rnd, 0, rand); | 234 | cmpxchg(&connlimit_rnd, 0, rand); |
| 235 | } | 235 | } |
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index d819f62b3b7c..a3910fc2122b 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
| @@ -177,7 +177,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht, | |||
| 177 | /* initialize hash with random val at the time we allocate | 177 | /* initialize hash with random val at the time we allocate |
| 178 | * the first hashtable entry */ | 178 | * the first hashtable entry */ |
| 179 | if (unlikely(!ht->rnd_initialized)) { | 179 | if (unlikely(!ht->rnd_initialized)) { |
| 180 | ht->rnd = prandom_u32(); | 180 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); |
| 181 | ht->rnd_initialized = true; | 181 | ht->rnd_initialized = true; |
| 182 | } | 182 | } |
| 183 | 183 | ||
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index bfdc29f1a04a..1e657cf715c4 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c | |||
| @@ -334,7 +334,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par, | |||
| 334 | size_t sz; | 334 | size_t sz; |
| 335 | 335 | ||
| 336 | if (unlikely(!hash_rnd_inited)) { | 336 | if (unlikely(!hash_rnd_inited)) { |
| 337 | hash_rnd = prandom_u32(); | 337 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); |
| 338 | hash_rnd_inited = true; | 338 | hash_rnd_inited = true; |
| 339 | } | 339 | } |
| 340 | if (info->check_set & ~XT_RECENT_VALID_FLAGS) { | 340 | if (info->check_set & ~XT_RECENT_VALID_FLAGS) { |