Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 513acc5b authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree:

1) Null pointer dereference when dumping conntrack helper configuration,
   from Taehee Yoo.

2) Missing sanitization in ebtables extension name through compat,
   from Paolo Abeni.

3) Broken fetch of tracing value, from Taehee Yoo.

4) Incorrect arithmetics in packet ratelimiting.

5) Buffer overflow in IPVS sync daemon, from Julian Anastasov.

6) Wrong argument to nla_strlcpy() in nfnetlink_{acct,cthelper},
   from Eric Dumazet.

7) Fix splat in nft_update_chain_stats().

8) Null pointer dereference from object netlink dump path, from
   Taehee Yoo.

9) Missing static_branch_inc() when enabling counters in existing
   chain, from Taehee Yoo.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents bc2dbc54 bbb8c61f

net/bridge/netfilter/ebtables.c

+2 −1
Original line number Diff line number Diff line
@@ -1954,7 +1954,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, 
	int off, pad = 0;

	unsigned int size_kern, match_size = mwt->match_size;



	strlcpy(name, mwt->u.name, sizeof(name));

	if (strscpy(name, mwt->u.name, sizeof(name)) < 0)

		return -EINVAL;



	if (state->buf_kern_start)

		dst = state->buf_kern_start + state->buf_kern_offset;

net/netfilter/ipvs/ip_vs_ctl.c

+15 −6
Original line number Diff line number Diff line
@@ -2381,8 +2381,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) 
			struct ipvs_sync_daemon_cfg cfg;



			memset(&cfg, 0, sizeof(cfg));

			strlcpy(cfg.mcast_ifn, dm->mcast_ifn,

				sizeof(cfg.mcast_ifn));

			ret = -EINVAL;

			if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,

				    sizeof(cfg.mcast_ifn)) <= 0)

				goto out_dec;

			cfg.syncid = dm->syncid;

			ret = start_sync_thread(ipvs, &cfg, dm->state);

		} else {
@@ -2420,12 +2422,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) 
		}

	}



	if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&

	    strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==

	    IP_VS_SCHEDNAME_MAXLEN) {

		ret = -EINVAL;

		goto out_unlock;

	}



	/* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */

	if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&

	    usvc.protocol != IPPROTO_SCTP) {

		pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",

		pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",

		       usvc.protocol, &usvc.addr.ip,

		       ntohs(usvc.port), usvc.sched_name);

		       ntohs(usvc.port));

		ret = -EFAULT;

		goto out_unlock;

	}
@@ -2847,7 +2856,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = { 
static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {

	[IPVS_DAEMON_ATTR_STATE]	= { .type = NLA_U32 },

	[IPVS_DAEMON_ATTR_MCAST_IFN]	= { .type = NLA_NUL_STRING,

					    .len = IP_VS_IFNAME_MAXLEN },

					    .len = IP_VS_IFNAME_MAXLEN - 1 },

	[IPVS_DAEMON_ATTR_SYNC_ID]	= { .type = NLA_U32 },

	[IPVS_DAEMON_ATTR_SYNC_MAXLEN]	= { .type = NLA_U16 },

	[IPVS_DAEMON_ATTR_MCAST_GROUP]	= { .type = NLA_U32 },
@@ -2865,7 +2874,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = { 
	[IPVS_SVC_ATTR_PORT]		= { .type = NLA_U16 },

	[IPVS_SVC_ATTR_FWMARK]		= { .type = NLA_U32 },

	[IPVS_SVC_ATTR_SCHED_NAME]	= { .type = NLA_NUL_STRING,

					    .len = IP_VS_SCHEDNAME_MAXLEN },

					    .len = IP_VS_SCHEDNAME_MAXLEN - 1 },

	[IPVS_SVC_ATTR_PE_NAME]		= { .type = NLA_NUL_STRING,

					    .len = IP_VS_PENAME_MAXLEN },

	[IPVS_SVC_ATTR_FLAGS]		= { .type = NLA_BINARY,

net/netfilter/nf_tables_api.c

+5 −3
Original line number Diff line number Diff line
@@ -1298,8 +1298,10 @@ static void nft_chain_stats_replace(struct nft_base_chain *chain, 
		rcu_assign_pointer(chain->stats, newstats);

		synchronize_rcu();

		free_percpu(oldstats);

	} else

	} else {

		rcu_assign_pointer(chain->stats, newstats);

		static_branch_inc(&nft_counters_enabled);

	}

}



static void nf_tables_chain_destroy(struct nft_ctx *ctx)
@@ -4706,7 +4708,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 
			if (idx > s_idx)

				memset(&cb->args[1], 0,

				       sizeof(cb->args) - sizeof(cb->args[0]));

			if (filter && filter->table[0] &&

			if (filter && filter->table &&

			    strcmp(filter->table, table->name))

				goto cont;

			if (filter &&
@@ -5380,7 +5382,7 @@ static int nf_tables_dump_flowtable(struct sk_buff *skb, 
			if (idx > s_idx)

				memset(&cb->args[1], 0,

				       sizeof(cb->args) - sizeof(cb->args[0]));

			if (filter && filter->table[0] &&

			if (filter && filter->table &&

			    strcmp(filter->table, table->name))

				goto cont;

net/netfilter/nf_tables_core.c

+2 −2
Original line number Diff line number Diff line
@@ -126,15 +126,15 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain, 
	if (!base_chain->stats)

		return;



	local_bh_disable();

	stats = this_cpu_ptr(rcu_dereference(base_chain->stats));

	if (stats) {

		local_bh_disable();

		u64_stats_update_begin(&stats->syncp);

		stats->pkts++;

		stats->bytes += pkt->skb->len;

		u64_stats_update_end(&stats->syncp);

		local_bh_enable();

	}

	local_bh_enable();

}



struct nft_jumpstack {

net/netfilter/nfnetlink_acct.c

+1 −1
Original line number Diff line number Diff line
@@ -115,7 +115,7 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl, 
		nfacct->flags = flags;

	}



	nla_strlcpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);

	nla_strlcpy(nfacct->name, tb[NFACCT_NAME], NFACCT_NAME_MAX);



	if (tb[NFACCT_BYTES]) {

		atomic64_set(&nfacct->bytes,