Commit 78582416 authored by David S. Miller's avatar David S. Miller
parents ec0506db 768b1031
...@@ -4404,7 +4404,8 @@ L: netfilter@vger.kernel.org ...@@ -4404,7 +4404,8 @@ L: netfilter@vger.kernel.org
L: coreteam@netfilter.org L: coreteam@netfilter.org
W: http://www.netfilter.org/ W: http://www.netfilter.org/
W: http://www.iptables.org/ W: http://www.iptables.org/
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-2.6.git
T: git git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next-2.6.git
S: Supported S: Supported
F: include/linux/netfilter* F: include/linux/netfilter*
F: include/linux/netfilter/ F: include/linux/netfilter/
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
menuconfig BRIDGE_NF_EBTABLES menuconfig BRIDGE_NF_EBTABLES
tristate "Ethernet Bridge tables (ebtables) support" tristate "Ethernet Bridge tables (ebtables) support"
depends on BRIDGE && BRIDGE_NETFILTER depends on BRIDGE && NETFILTER
select NETFILTER_XTABLES select NETFILTER_XTABLES
help help
ebtables is a general, extensible frame/packet identification ebtables is a general, extensible frame/packet identification
......
...@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) ...@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
return skb; return skb;
nlmsg_failure: nlmsg_failure:
kfree_skb(skb);
*errp = -EINVAL; *errp = -EINVAL;
printk(KERN_ERR "ip_queue: error creating packet message\n"); printk(KERN_ERR "ip_queue: error creating packet message\n");
return NULL; return NULL;
...@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len) ...@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
{ {
struct nf_queue_entry *entry; struct nf_queue_entry *entry;
if (vmsg->value > NF_MAX_VERDICT) if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
return -EINVAL; return -EINVAL;
entry = ipq_find_dequeue_entry(vmsg->id); entry = ipq_find_dequeue_entry(vmsg->id);
...@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg, ...@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
break; break;
case IPQM_VERDICT: case IPQM_VERDICT:
if (pmsg->msg.verdict.value > NF_MAX_VERDICT) status = ipq_set_verdict(&pmsg->msg.verdict,
status = -EINVAL; len - sizeof(*pmsg));
else break;
status = ipq_set_verdict(&pmsg->msg.verdict,
len - sizeof(*pmsg));
break;
default: default:
status = -EINVAL; status = -EINVAL;
} }
......
...@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) ...@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
return skb; return skb;
nlmsg_failure: nlmsg_failure:
kfree_skb(skb);
*errp = -EINVAL; *errp = -EINVAL;
printk(KERN_ERR "ip6_queue: error creating packet message\n"); printk(KERN_ERR "ip6_queue: error creating packet message\n");
return NULL; return NULL;
...@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len) ...@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
{ {
struct nf_queue_entry *entry; struct nf_queue_entry *entry;
if (vmsg->value > NF_MAX_VERDICT) if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
return -EINVAL; return -EINVAL;
entry = ipq_find_dequeue_entry(vmsg->id); entry = ipq_find_dequeue_entry(vmsg->id);
...@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg, ...@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
break; break;
case IPQM_VERDICT: case IPQM_VERDICT:
if (pmsg->msg.verdict.value > NF_MAX_VERDICT) status = ipq_set_verdict(&pmsg->msg.verdict,
status = -EINVAL; len - sizeof(*pmsg));
else break;
status = ipq_set_verdict(&pmsg->msg.verdict,
len - sizeof(*pmsg));
break;
default: default:
status = -EINVAL; status = -EINVAL;
} }
......
...@@ -364,6 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb, ...@@ -364,6 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
break; break;
case PPTP_WAN_ERROR_NOTIFY: case PPTP_WAN_ERROR_NOTIFY:
case PPTP_SET_LINK_INFO:
case PPTP_ECHO_REQUEST: case PPTP_ECHO_REQUEST:
case PPTP_ECHO_REPLY: case PPTP_ECHO_REPLY:
/* I don't have to explain these ;) */ /* I don't have to explain these ;) */
......
...@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb, ...@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
if (opsize < 2) /* "silly options" */ if (opsize < 2) /* "silly options" */
return; return;
if (opsize > length) if (opsize > length)
break; /* don't parse partial options */ return; /* don't parse partial options */
if (opcode == TCPOPT_SACK_PERM if (opcode == TCPOPT_SACK_PERM
&& opsize == TCPOLEN_SACK_PERM) && opsize == TCPOLEN_SACK_PERM)
...@@ -447,7 +447,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, ...@@ -447,7 +447,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
BUG_ON(ptr == NULL); BUG_ON(ptr == NULL);
/* Fast path for timestamp-only option */ /* Fast path for timestamp-only option */
if (length == TCPOLEN_TSTAMP_ALIGNED*4 if (length == TCPOLEN_TSTAMP_ALIGNED
&& *(__be32 *)ptr == htonl((TCPOPT_NOP << 24) && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
| (TCPOPT_NOP << 16) | (TCPOPT_NOP << 16)
| (TCPOPT_TIMESTAMP << 8) | (TCPOPT_TIMESTAMP << 8)
...@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, ...@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
if (opsize < 2) /* "silly options" */ if (opsize < 2) /* "silly options" */
return; return;
if (opsize > length) if (opsize > length)
break; /* don't parse partial options */ return; /* don't parse partial options */
if (opcode == TCPOPT_SACK if (opcode == TCPOPT_SACK
&& opsize >= (TCPOLEN_SACK_BASE && opsize >= (TCPOLEN_SACK_BASE
......
...@@ -646,8 +646,8 @@ verdicthdr_get(const struct nlattr * const nfqa[]) ...@@ -646,8 +646,8 @@ verdicthdr_get(const struct nlattr * const nfqa[])
return NULL; return NULL;
vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]); vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
verdict = ntohl(vhdr->verdict); verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT) if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
return NULL; return NULL;
return vhdr; return vhdr;
} }
......
...@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) ...@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
{ {
struct xt_rateest_match_info *info = par->matchinfo; struct xt_rateest_match_info *info = par->matchinfo;
struct xt_rateest *est1, *est2; struct xt_rateest *est1, *est2;
int ret = false; int ret = -EINVAL;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
XT_RATEEST_MATCH_REL)) != 1) XT_RATEEST_MATCH_REL)) != 1)
...@@ -101,13 +101,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) ...@@ -101,13 +101,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
if (!est1) if (!est1)
goto err1; goto err1;
est2 = NULL;
if (info->flags & XT_RATEEST_MATCH_REL) { if (info->flags & XT_RATEEST_MATCH_REL) {
est2 = xt_rateest_lookup(info->name2); est2 = xt_rateest_lookup(info->name2);
if (!est2) if (!est2)
goto err2; goto err2;
} else }
est2 = NULL;
info->est1 = est1; info->est1 = est1;
info->est2 = est2; info->est2 = est2;
...@@ -116,7 +115,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) ...@@ -116,7 +115,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
err2: err2:
xt_rateest_put(est1); xt_rateest_put(est1);
err1: err1:
return -EINVAL; return ret;
} }
static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment