Commit ac0024ba authored Jun 06, 2019 by Guillaume Nault Committed by Greg Kroah-Hartman Jul 10, 2019

netfilter: ipv6: nf_defrag: accept duplicate fragments again



[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]

When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.

To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.

Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 54e8cf41

net/ipv6/netfilter/nf_conntrack_reasm.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue fq, struct sk_buff skb,

		prev = fq->q.fragments_tail;
		err = inet_frag_queue_insert(&fq->q, skb, offset, end);
		if (err)
		if (err) {
		if (err == IPFRAG_DUP) {
		/* No error for duplicates, pretend they got queued. */
		kfree_skb(skb);
		return -EINPROGRESS;
		}
		goto insert_error;
		}

		if (dev)
		fq->iif = dev->ifindex;
		@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue fq, struct sk_buff skb,
		return -EINPROGRESS;

		insert_error:
		if (err == IPFRAG_DUP)
		goto err;
		inet_frag_kill(&fq->q);
		err:
		skb_dst_drop(skb);