Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5824b89f authored by Simon Dubray's avatar Simon Dubray Committed by Amit Pundir
Browse files

ANDROID: netfilter: xt_qtaguid: handle properly request sockets 



To match rules related to uid/gid for syn recv packets
we need to get the full socket from request_sock struct.

Bug: 63917742
Change-Id: I03acb2251319fd800d0e36a6dde30fc1fbb7d1b0
Signed-off-by: default avatarSimon Dubray <simonx.dubray@intel.com>
parent f2ad6ade

net/netfilter/xt_qtaguid.c

+18 −11
Original line number Diff line number Diff line
@@ -1597,14 +1597,6 @@ static struct sock *qtaguid_find_sk(const struct sk_buff *skb, 
	if (sk) {

		MT_DEBUG("qtaguid: %p->sk_proto=%u "

			 "->sk_state=%d\n", sk, sk->sk_protocol, sk->sk_state);

		/*

		 * When in TCP_TIME_WAIT the sk is not a "struct sock" but

		 * "struct inet_timewait_sock" which is missing fields.

		 */

		if (!sk_fullsock(sk) || sk->sk_state  == TCP_TIME_WAIT) {

			sock_gen_put(sk);

			sk = NULL;

		}

	}

	return sk;

}
@@ -1696,11 +1688,26 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) 
		 * and the matching socket is already closed and gone.

		 */

		sk = qtaguid_find_sk(skb, par);

		/*

		 * TCP_NEW_SYN_RECV are not "struct sock" but "struct request_sock"

		 * where we can get a pointer to a full socket to retrieve uid/gid.

		 * When in TCP_TIME_WAIT, sk is a struct inet_timewait_sock

		 * which is missing fields and does not contain any reference

		 * to a full socket, so just ignore the socket.

		 */

		if (sk && sk->sk_state == TCP_NEW_SYN_RECV) {

			sock_gen_put(sk);

			sk = sk_to_full_sk(sk);

		} else if (sk && (!sk_fullsock(sk) || sk->sk_state == TCP_TIME_WAIT)) {

			sock_gen_put(sk);

			sk = NULL;

		} else {

			/*

			 * If we got the socket from the find_sk(), we will need to put

			 * it back, as nf_tproxy_get_sock_v4() got it.

			 */

			got_sock = sk;

		}

		if (sk)

			atomic64_inc(&qtu_events.match_found_sk_in_ct);

		else