From f9f02cca25acf33e5853c6b3cbb0c7146312783f Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 9 Jan 2007 14:32:41 -0800 Subject: [PATCH 1/7] [NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragments When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 37e5fca923a..d9c15402ba6 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, s->nfct_reasm = skb; s2 = s->next; + s->next = NULL; + NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); s = s2; From 8c82d8df7060221f131c9ca5352fb613c14f857a Mon Sep 17 00:00:00 2001 From: Bart De Schuymer Date: Tue, 9 Jan 2007 14:33:11 -0800 Subject: [PATCH 2/7] [NETFILTER]: arp_tables: fix userspace compilation The included patch translates arpt_counters to xt_counters, making userspace arptables compile against recent kernels. Signed-off-by: Bart De Schuymer Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_arp/arp_tables.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index 0be235418a2..24c8786d12e 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h @@ -190,6 +190,7 @@ struct arpt_replace /* The argument to ARPT_SO_ADD_COUNTERS. */ #define arpt_counters_info xt_counters_info +#define arpt_counters xt_counters /* The argument to ARPT_SO_GET_ENTRIES. */ struct arpt_get_entries From ffed53d25bf36efb0571f7d9109f2e95df7f8b33 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 9 Jan 2007 14:33:49 -0800 Subject: [PATCH 3/7] [NETFILTER]: nf_nat: fix hanging connections when loading the NAT module When loading the NAT module, existing connection tracking entries don't have room for NAT information allocated and packets are dropped, causing hanging connections. They really should be entered into the NAT table as NULL mappings, but the current allocation scheme doesn't allow this. For now simply accept those packets to avoid the hanging connections. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/nf_nat_standalone.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 730a7a44c88..00d6dea9f7f 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c @@ -123,7 +123,7 @@ nf_nat_fn(unsigned int hooknum, nat = nfct_nat(ct); if (!nat) - return NF_DROP; + return NF_ACCEPT; switch (ctinfo) { case IP_CT_RELATED: From f79e7802153829e015dc2a60eb8b7444eb191b67 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 9 Jan 2007 14:34:14 -0800 Subject: [PATCH 4/7] [NETFILTER]: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nf_conntrack_tcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index 6b01ba29772..2f4e98b90cc 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h @@ -25,7 +25,7 @@ enum tcp_conntrack { #define IP_CT_TCP_FLAG_SACK_PERM 0x02 /* This sender sent FIN first */ -#define IP_CT_TCP_FLAG_CLOSE_INIT 0x03 +#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 #ifdef __KERNEL__ From 4a1c0107bca2eccf4491b86fec41ce63268d803d Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Tue, 9 Jan 2007 14:35:51 -0800 Subject: [PATCH 5/7] [SCTP]: Fix err_hdr assignment in sctp_init_cause. The subh->err_hdr should point to the error header, not the data. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- net/sctp/sm_make_chunk.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index f0bbe36799c..167d888d1df 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -124,8 +124,8 @@ void sctp_init_cause(struct sctp_chunk *chunk, __be16 cause_code, padlen = len % 4; err.length = htons(len); len += padlen; - sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err); - chunk->subh.err_hdr = sctp_addto_chunk(chunk, paylen, payload); + chunk->subh.err_hdr = sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err); + sctp_addto_chunk(chunk, paylen, payload); } /* 3.3.2 Initiation (INIT) (1) From 469de9b90f739f130ab3d483e819888e977596b8 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 9 Jan 2007 14:37:06 -0800 Subject: [PATCH 6/7] [INET]: style updates for the inet_sock->is_icsk assignment fix A quick patch to change the inet_sock->is_icsk assignment to better fit with existing kernel coding style. Signed-off-by: Paul Moore Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- net/ipv4/af_inet.c | 2 +- net/ipv6/af_inet6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index d60fd7321e6..86400964367 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -305,7 +305,7 @@ lookup_protocol: sk->sk_reuse = 1; inet = inet_sk(sk); - inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) == INET_PROTOSW_ICSK; + inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0; if (SOCK_RAW == sock->type) { inet->num = protocol; diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 832a5e6e2d7..0e0e4262f4d 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -171,7 +171,7 @@ lookup_protocol: sk->sk_reuse = 1; inet = inet_sk(sk); - inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) == INET_PROTOSW_ICSK; + inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0; if (SOCK_RAW == sock->type) { inet->num = protocol; From 483479ecc565b7f5845997138eddf5ecbc2684b1 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Tue, 9 Jan 2007 14:38:31 -0800 Subject: [PATCH 7/7] [IPV4] devinet: inetdev_init out label moved after RCU assignment inetdev_init out label moved after RCU assignment (final suggestion by Herbert Xu) Signed-off-by: Jarek Poplawski Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv4/devinet.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 25c8a42965d..480ace9819f 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -174,9 +174,10 @@ struct in_device *inetdev_init(struct net_device *dev) ip_mc_init_dev(in_dev); if (dev->flags & IFF_UP) ip_mc_up(in_dev); -out: + /* we can receive as soon as ip_ptr is set -- do this last */ rcu_assign_pointer(dev->ip_ptr, in_dev); +out: return in_dev; out_kfree: kfree(in_dev);