netfilter pull request 24-10-31
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmcjVIwACgkQ1w0aZmrP KyGfKA/+Nhj8MpYPl/TiaWitL9quL8ExcSr8DBJPlG0w/LzlrdYZqKvgxUfTDHKi GYnfgFrHlrNG0E6HiWS8RPzjJjT8of/hrnFU/pMkGh97hQpDLkkoG9/wAScO3NGQ c8roORHe3gSH1ZR6ExCy6wdw1aUxGzA7amZULDc+bU64KamGgFoBTSI/YG0bW0FI s5waIGtqfo/Wg+uyRv5Ny477aWIrWTjhG0T/64lziPws9rZ40cTfg8N22PVX0Yog pojOC8mpMyys5hNu6UBB0pdX5J6ARO1seK0aj1i+XEkJYHb1u9/oySfVoI0yqQ3Y 9Kt8nc/NvBoOvK2xlLApYIHC8//YCAE94n6JwrZPyb16L93yxhpGO3kZNq6ydJdU 2tgv23clW3keMvJijICc0bxQdUqwKdQZcLRwkVAvXAWvOCI9x72Y6GeJS4xRnnBF RDug6uuLMVoh9UlUZ95HiXsFLzilXtkFHGaG0KjEKdIECgajTBlcwpFyDGktto44 XVr4cjTQ5amUVqfcG7ycFLsVjk8dYEkYbTE6FMenSAeFIYzo+D8xQnoMKFYE+IXt C229Z9FZJvmbduZEoeaMI24CnV4P0HjNPvrTMw8go2iSbi89fLPEscCS/z/eUqQS 4FB+E93LaCKhSYujQIAB+sZcNlG0Q8+7f10mv8SsNZxJZmPOIeU= =RHbi -----END PGP SIGNATURE----- Merge tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter fixes for net: 1) Remove unused parameters in conntrack_dump_flush.c used by selftests, from Liu Jing. 2) Fix possible UaF when removing xtables module via getsockopt() interface, from Dong Chenchen. 3) Fix potential crash in nf_send_reset6() reported by syzkaller. From Eric Dumazet 4) Validate offset and length before calling skb_checksum() in nft_payload, otherwise hitting BUG() is possible. netfilter pull request 24-10-31 * tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() netfilter: Fix use-after-free in get_info() selftests: netfilter: remove unused parameter ==================== Link: https://patch.msgid.link/ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
commit
50ae879de1
@ -268,12 +268,12 @@ static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in)
|
||||
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
int hook)
|
||||
{
|
||||
struct sk_buff *nskb;
|
||||
struct tcphdr _otcph;
|
||||
const struct tcphdr *otcph;
|
||||
unsigned int otcplen, hh_len;
|
||||
const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
|
||||
struct dst_entry *dst = NULL;
|
||||
const struct tcphdr *otcph;
|
||||
struct sk_buff *nskb;
|
||||
struct tcphdr _otcph;
|
||||
unsigned int otcplen;
|
||||
struct flowi6 fl6;
|
||||
|
||||
if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
|
||||
@ -312,9 +312,8 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
if (IS_ERR(dst))
|
||||
return;
|
||||
|
||||
hh_len = (dst->dev->hard_header_len + 15)&~15;
|
||||
nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
|
||||
+ sizeof(struct tcphdr) + dst->trailer_len,
|
||||
nskb = alloc_skb(LL_MAX_HEADER + sizeof(struct ipv6hdr) +
|
||||
sizeof(struct tcphdr) + dst->trailer_len,
|
||||
GFP_ATOMIC);
|
||||
|
||||
if (!nskb) {
|
||||
@ -327,7 +326,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
|
||||
nskb->mark = fl6.flowi6_mark;
|
||||
|
||||
skb_reserve(nskb, hh_len + dst->header_len);
|
||||
skb_reserve(nskb, LL_MAX_HEADER);
|
||||
nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, ip6_dst_hoplimit(dst));
|
||||
nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen);
|
||||
|
||||
|
@ -904,6 +904,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
|
||||
((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
|
||||
priv->base != NFT_PAYLOAD_INNER_HEADER) ||
|
||||
skb->ip_summed != CHECKSUM_PARTIAL)) {
|
||||
if (offset + priv->len > skb->len)
|
||||
goto err;
|
||||
|
||||
fsum = skb_checksum(skb, offset, priv->len, 0);
|
||||
tsum = csum_partial(src, priv->len, 0);
|
||||
|
||||
|
@ -1269,7 +1269,7 @@ struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
|
||||
|
||||
/* and once again: */
|
||||
list_for_each_entry(t, &xt_net->tables[af], list)
|
||||
if (strcmp(t->name, name) == 0)
|
||||
if (strcmp(t->name, name) == 0 && owner == t->me)
|
||||
return t;
|
||||
|
||||
module_put(owner);
|
||||
|
@ -98,7 +98,7 @@ static int conntrack_data_insert(struct mnl_socket *sock, struct nlmsghdr *nlh,
|
||||
char buf[MNL_SOCKET_BUFFER_SIZE];
|
||||
struct nlmsghdr *rplnlh;
|
||||
unsigned int portid;
|
||||
int err, ret;
|
||||
int ret;
|
||||
|
||||
portid = mnl_socket_get_portid(sock);
|
||||
|
||||
@ -217,7 +217,7 @@ static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone)
|
||||
struct nfgenmsg *nfh;
|
||||
struct nlattr *nest;
|
||||
unsigned int portid;
|
||||
int err, ret;
|
||||
int ret;
|
||||
|
||||
portid = mnl_socket_get_portid(sock);
|
||||
|
||||
@ -264,7 +264,7 @@ static int conntrack_flush_zone(struct mnl_socket *sock, uint16_t zone)
|
||||
struct nfgenmsg *nfh;
|
||||
struct nlattr *nest;
|
||||
unsigned int portid;
|
||||
int err, ret;
|
||||
int ret;
|
||||
|
||||
portid = mnl_socket_get_portid(sock);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user