aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2012-09-13 13:53:06 -0400
committerDavid S. Miller <davem@davemloft.net>2012-09-13 13:53:06 -0400
commit930521695c183c8a4da8fe13ce231cf5263b8d98 (patch)
treec1d94f96ebc7584c54872d1e7b6771eb3ffb59c3 /net
parentbdfc87f7d1e253e0a61e2fc6a75ea9d76f7fc03a (diff)
parent16af511a666827eaf5802144f09e2fb7b0942c99 (diff)
Merge branch 'master' of git://1984.lsi.us.es/nf
Pablo Neira Ayuso say: ==================== The following patchset contains four updates for your net tree, they are: * Fix crash on timewait sockets, since the TCP early demux was added, in nfnetlink_log, from Eric Dumazet. * Fix broken syslog log-level for xt_LOG and ebt_log since printk format was converted from <.> to a 2 bytes pattern using ASCII SOH, from Joe Perches. * Two security fixes for the TCP connection tracking targeting off-path attacks, from Jozsef Kadlecsik. The problem was discovered by Jan Wrobel and it is documented in: http://mixedbit.org/reflection_scan/reflection_scan.pdf. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/bridge/netfilter/ebt_log.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c29
-rw-r--r--net/netfilter/nfnetlink_log.c14
-rw-r--r--net/netfilter/xt_LOG.c37
4 files changed, 38 insertions, 44 deletions
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index f88ee537fb2b..92de5e5f9db2 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -80,7 +80,7 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
80 unsigned int bitmask; 80 unsigned int bitmask;
81 81
82 spin_lock_bh(&ebt_log_lock); 82 spin_lock_bh(&ebt_log_lock);
83 printk("<%c>%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x", 83 printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
84 '0' + loginfo->u.log.level, prefix, 84 '0' + loginfo->u.log.level, prefix,
85 in ? in->name : "", out ? out->name : "", 85 in ? in->name : "", out ? out->name : "",
86 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 86 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a5ac11ebef33..e046b3756aab 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
158 * sCL -> sSS 158 * sCL -> sSS
159 */ 159 */
160/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 160/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
161/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 161/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
162/* 162/*
163 * sNO -> sIV Too late and no reason to do anything 163 * sNO -> sIV Too late and no reason to do anything
164 * sSS -> sIV Client can't send SYN and then SYN/ACK 164 * sSS -> sIV Client can't send SYN and then SYN/ACK
165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open 165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
166 * sSR -> sIG 166 * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
167 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 167 * sES -> sIV Invalid SYN/ACK packets sent by the client
168 * are errors. Receiver will reply with RST 168 * sFW -> sIV
169 * and close the connection. 169 * sCW -> sIV
170 * Or we are not in sync and hold a dead connection. 170 * sLA -> sIV
171 * sFW -> sIG 171 * sTW -> sIV
172 * sCW -> sIG 172 * sCL -> sIV
173 * sLA -> sIG
174 * sTW -> sIG
175 * sCL -> sIG
176 */ 173 */
177/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 174/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
178/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 175/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
@@ -633,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
633 ack = sack = receiver->td_end; 630 ack = sack = receiver->td_end;
634 } 631 }
635 632
636 if (seq == end 633 if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
637 && (!tcph->rst
638 || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
639 /* 634 /*
640 * Packets contains no data: we assume it is valid 635 * RST sent answering SYN.
641 * and check the ack value only.
642 * However RST segments are always validated by their
643 * SEQ number, except when seq == 0 (reset sent answering
644 * SYN.
645 */ 636 */
646 seq = end = sender->td_end; 637 seq = end = sender->td_end;
647 638
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 14e2f3903142..5cfb5bedb2b8 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -381,6 +381,7 @@ __build_packet_message(struct nfulnl_instance *inst,
381 struct nlmsghdr *nlh; 381 struct nlmsghdr *nlh;
382 struct nfgenmsg *nfmsg; 382 struct nfgenmsg *nfmsg;
383 sk_buff_data_t old_tail = inst->skb->tail; 383 sk_buff_data_t old_tail = inst->skb->tail;
384 struct sock *sk;
384 385
385 nlh = nlmsg_put(inst->skb, 0, 0, 386 nlh = nlmsg_put(inst->skb, 0, 0,
386 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, 387 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
@@ -499,18 +500,19 @@ __build_packet_message(struct nfulnl_instance *inst,
499 } 500 }
500 501
501 /* UID */ 502 /* UID */
502 if (skb->sk) { 503 sk = skb->sk;
503 read_lock_bh(&skb->sk->sk_callback_lock); 504 if (sk && sk->sk_state != TCP_TIME_WAIT) {
504 if (skb->sk->sk_socket && skb->sk->sk_socket->file) { 505 read_lock_bh(&sk->sk_callback_lock);
505 struct file *file = skb->sk->sk_socket->file; 506 if (sk->sk_socket && sk->sk_socket->file) {
507 struct file *file = sk->sk_socket->file;
506 __be32 uid = htonl(file->f_cred->fsuid); 508 __be32 uid = htonl(file->f_cred->fsuid);
507 __be32 gid = htonl(file->f_cred->fsgid); 509 __be32 gid = htonl(file->f_cred->fsgid);
508 read_unlock_bh(&skb->sk->sk_callback_lock); 510 read_unlock_bh(&sk->sk_callback_lock);
509 if (nla_put_be32(inst->skb, NFULA_UID, uid) || 511 if (nla_put_be32(inst->skb, NFULA_UID, uid) ||
510 nla_put_be32(inst->skb, NFULA_GID, gid)) 512 nla_put_be32(inst->skb, NFULA_GID, gid))
511 goto nla_put_failure; 513 goto nla_put_failure;
512 } else 514 } else
513 read_unlock_bh(&skb->sk->sk_callback_lock); 515 read_unlock_bh(&sk->sk_callback_lock);
514 } 516 }
515 517
516 /* local sequence number */ 518 /* local sequence number */
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index ff5f75fddb15..91e9af4d1f42 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -145,6 +145,19 @@ static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
145 return 0; 145 return 0;
146} 146}
147 147
148static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk)
149{
150 if (!sk || sk->sk_state == TCP_TIME_WAIT)
151 return;
152
153 read_lock_bh(&sk->sk_callback_lock);
154 if (sk->sk_socket && sk->sk_socket->file)
155 sb_add(m, "UID=%u GID=%u ",
156 sk->sk_socket->file->f_cred->fsuid,
157 sk->sk_socket->file->f_cred->fsgid);
158 read_unlock_bh(&sk->sk_callback_lock);
159}
160
148/* One level of recursion won't kill us */ 161/* One level of recursion won't kill us */
149static void dump_ipv4_packet(struct sbuff *m, 162static void dump_ipv4_packet(struct sbuff *m,
150 const struct nf_loginfo *info, 163 const struct nf_loginfo *info,
@@ -361,14 +374,8 @@ static void dump_ipv4_packet(struct sbuff *m,
361 } 374 }
362 375
363 /* Max length: 15 "UID=4294967295 " */ 376 /* Max length: 15 "UID=4294967295 " */
364 if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { 377 if ((logflags & XT_LOG_UID) && !iphoff)
365 read_lock_bh(&skb->sk->sk_callback_lock); 378 dump_sk_uid_gid(m, skb->sk);
366 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
367 sb_add(m, "UID=%u GID=%u ",
368 skb->sk->sk_socket->file->f_cred->fsuid,
369 skb->sk->sk_socket->file->f_cred->fsgid);
370 read_unlock_bh(&skb->sk->sk_callback_lock);
371 }
372 379
373 /* Max length: 16 "MARK=0xFFFFFFFF " */ 380 /* Max length: 16 "MARK=0xFFFFFFFF " */
374 if (!iphoff && skb->mark) 381 if (!iphoff && skb->mark)
@@ -436,8 +443,8 @@ log_packet_common(struct sbuff *m,
436 const struct nf_loginfo *loginfo, 443 const struct nf_loginfo *loginfo,
437 const char *prefix) 444 const char *prefix)
438{ 445{
439 sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 446 sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
440 prefix, 447 '0' + loginfo->u.log.level, prefix,
441 in ? in->name : "", 448 in ? in->name : "",
442 out ? out->name : ""); 449 out ? out->name : "");
443#ifdef CONFIG_BRIDGE_NETFILTER 450#ifdef CONFIG_BRIDGE_NETFILTER
@@ -717,14 +724,8 @@ static void dump_ipv6_packet(struct sbuff *m,
717 } 724 }
718 725
719 /* Max length: 15 "UID=4294967295 " */ 726 /* Max length: 15 "UID=4294967295 " */
720 if ((logflags & XT_LOG_UID) && recurse && skb->sk) { 727 if ((logflags & XT_LOG_UID) && recurse)
721 read_lock_bh(&skb->sk->sk_callback_lock); 728 dump_sk_uid_gid(m, skb->sk);
722 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
723 sb_add(m, "UID=%u GID=%u ",
724 skb->sk->sk_socket->file->f_cred->fsuid,
725 skb->sk->sk_socket->file->f_cred->fsgid);
726 read_unlock_bh(&skb->sk->sk_callback_lock);
727 }
728 729
729 /* Max length: 16 "MARK=0xFFFFFFFF " */ 730 /* Max length: 16 "MARK=0xFFFFFFFF " */
730 if (!recurse && skb->mark) 731 if (!recurse && skb->mark)
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-23 05:44:02 -0500