1. 04 May, 2014 2 commits
    • Denys Fedoryshchenko's avatar
      netfilter: nfnetlink: Fix use after free when it fails to process batch · ecd15dd7
      Denys Fedoryshchenko authored
      This bug manifests when calling the nft command line tool without
      nf_tables kernel support.
      
      kernel message:
      [   44.071555] Netfilter messages via NETLINK v0.30.
      [   44.072253] BUG: unable to handle kernel NULL pointer dereference at 0000000000000119
      [   44.072264] IP: [<ffffffff8171db1f>] netlink_getsockbyportid+0xf/0x70
      [   44.072272] PGD 7f2b74067 PUD 7f2b73067 PMD 0
      [   44.072277] Oops: 0000 [#1] SMP
      [...]
      [   44.072369] Call Trace:
      [   44.072373]  [<ffffffff8171fd81>] netlink_unicast+0x91/0x200
      [   44.072377]  [<ffffffff817206c9>] netlink_ack+0x99/0x110
      [   44.072381]  [<ffffffffa004b951>] nfnetlink_rcv+0x3c1/0x408 [nfnetlink]
      [   44.072385]  [<ffffffff8171fde3>] netlink_unicast+0xf3/0x200
      [   44.072389]  [<ffffffff817201ef>] netlink_sendmsg+0x2ff/0x740
      [   44.072394]  [<ffffffff81044752>] ? __mmdrop+0x62/0x90
      [   44.072398]  [<ffffffff816dafdb>] sock_sendmsg+0x8b/0xc0
      [   44.072403]  [<ffffffff812f1af5>] ? copy_user_enhanced_fast_string+0x5/0x10
      [   44.072406]  [<ffffffff816dbb6c>] ? move_addr_to_kernel+0x2c/0x50
      [   44.072410]  [<ffffffff816db423>] ___sys_sendmsg+0x3c3/0x3d0
      [   44.072415]  [<ffffffff811301ba>] ? handle_mm_fault+0xa9a/0xc60
      [   44.072420]  [<ffffffff811362d6>] ? mmap_region+0x166/0x5a0
      [   44.072424]  [<ffffffff817da84c>] ? __do_page_fault+0x1dc/0x510
      [   44.072428]  [<ffffffff812b8b2c>] ? apparmor_capable+0x1c/0x60
      [   44.072435]  [<ffffffff817d6e9a>] ? _raw_spin_unlock_bh+0x1a/0x20
      [   44.072439]  [<ffffffff816dfc86>] ? release_sock+0x106/0x150
      [   44.072443]  [<ffffffff816dc212>] __sys_sendmsg+0x42/0x80
      [   44.072446]  [<ffffffff816dc262>] SyS_sendmsg+0x12/0x20
      [   44.072450]  [<ffffffff817df616>] system_call_fastpath+0x1a/0x1f
      Signed-off-by: default avatarDenys Fedoryshchenko <nuclearcat@nuclearcat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecd15dd7
    • Florian Westphal's avatar
      netfilter: ipv4: defrag: set local_df flag on defragmented skb · 895162b1
      Florian Westphal authored
      else we may fail to forward skb even if original fragments do fit
      outgoing link mtu:
      
      1. remote sends 2k packets in two 1000 byte frags, DF set
      2. we want to forward but only see '2k > mtu and DF set'
      3. we then send icmp error saying that outgoing link is 1500
      
      But original sender never sent a packet that would not fit
      the outgoing link.
      
      Setting local_df makes outgoing path test size vs.
      IPCB(skb)->frag_max_size, so we will still send the correct
      error in case the largest original size did not fit
      outgoing link mtu.
      Reported-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Suggested-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Fixes: 5f2d04f1 (ipv4: fix path MTU discovery with connection tracking)
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      895162b1
  2. 29 Apr, 2014 1 commit
  3. 28 Apr, 2014 12 commits
  4. 27 Apr, 2014 5 commits
  5. 26 Apr, 2014 11 commits
  6. 24 Apr, 2014 9 commits