Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af57d2b7 authored Aug 24, 2017 by David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix use after free of struct proc_dir_entry in ipt_CLUSTERIP, patch
   from Sabrina Dubroca.

2) Fix spurious EINVAL errors from iptables over nft compatibility layer.

3) Reload pointer to ip header only if there is non-terminal verdict,
   ie. XT_CONTINUE, otherwise invalid memory access may happen, patch
   from Taehee Yoo.

4) Fix interaction between SYNPROXY and NAT, SYNPROXY adds sequence
   adjustment already, however from nf_nat_setup() assumes there's not.
   Patch from Xin Long.

5) Fix burst arithmetics in nft_limit as Joe Stringer mentioned during
   NFWS in Faro. Patch from Andy Zhou.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents d0273ef3 c26844ed

net/ipv4/netfilter/arp_tables.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -268,14 +268,14 @@ unsigned int arpt_do_table(struct sk_buff *skb,
		acpar.targinfo = t->data;
		verdict = t->u.kernel.target->target(skb, &acpar);

		if (verdict == XT_CONTINUE) {
		/* Target might have changed stuff. */
		arp = arp_hdr(skb);

		if (verdict == XT_CONTINUE)
		e = arpt_next_entry(e);
		else
		} else {
		/* Verdict */
		break;
		}
		} while (!acpar.hotdrop);
		xt_write_recseq_end(addend);
		local_bh_enable();

net/ipv4/netfilter/ip_tables.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -352,13 +352,14 @@ ipt_do_table(struct sk_buff *skb,
		acpar.targinfo = t->data;

		verdict = t->u.kernel.target->target(skb, &acpar);
		if (verdict == XT_CONTINUE) {
		/* Target might have changed stuff. */
		ip = ip_hdr(skb);
		if (verdict == XT_CONTINUE)
		e = ipt_next_entry(e);
		else
		} else {
		/* Verdict */
		break;
		}
		} while (!acpar.hotdrop);

		xt_write_recseq_end(addend);

net/ipv4/netfilter/ipt_CLUSTERIP.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -117,6 +117,7 @@ clusterip_config_entry_put(struct net net, struct clusterip_config c)
		* functions are also incrementing the refcount on their own,
		* so it's safe to remove the entry even if it's in use. */
		#ifdef CONFIG_PROC_FS
		if (cn->procdir)
		proc_remove(c->pde);
		#endif
		return;
		@@ -815,6 +816,7 @@ static void clusterip_net_exit(struct net *net)
		#ifdef CONFIG_PROC_FS
		struct clusterip_net *cn = net_generic(net, clusterip_net_id);
		proc_remove(cn->procdir);
		cn->procdir = NULL;
		#endif
		nf_unregister_net_hook(net, &cip_arp_ops);
		}

net/netfilter/nf_nat_core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -441,7 +441,7 @@ nf_nat_setup_info(struct nf_conn *ct,
		else
		ct->status \|= IPS_DST_NAT;

		if (nfct_help(ct))
		if (nfct_help(ct) && !nfct_seqadj(ct))
		if (!nfct_seqadj_ext_add(ct))
		return NF_DROP;
		}

net/netfilter/nft_compat.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -305,7 +305,7 @@ static int nft_target_validate(const struct nft_ctx *ctx,
		const struct nf_hook_ops *ops = &basechain->ops[0];

		hook_mask = 1 << ops->hooknum;
		if (!(hook_mask & target->hooks))
		if (target->hooks && !(hook_mask & target->hooks))
		return -EINVAL;

		ret = nft_compat_chain_validate_dependency(target->table,
		@@ -484,7 +484,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
		const struct nf_hook_ops *ops = &basechain->ops[0];

		hook_mask = 1 << ops->hooknum;
		if (!(hook_mask & match->hooks))
		if (match->hooks && !(hook_mask & match->hooks))
		return -EINVAL;

		ret = nft_compat_chain_validate_dependency(match->table,