Commit c00e858d authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Use kvfree() to release vmalloc()'ed areas in ipset, from Eric Dumazet.

2) UAF in nfnetlink_queue from the nf_conntrack_update() path.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 4d572545 d005fbb8
...@@ -326,7 +326,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], ...@@ -326,7 +326,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
set->variant = &bitmap_ip; set->variant = &bitmap_ip;
if (!init_map_ip(set, map, first_ip, last_ip, if (!init_map_ip(set, map, first_ip, last_ip,
elements, hosts, netmask)) { elements, hosts, netmask)) {
kfree(map); ip_set_free(map);
return -ENOMEM; return -ENOMEM;
} }
if (tb[IPSET_ATTR_TIMEOUT]) { if (tb[IPSET_ATTR_TIMEOUT]) {
......
...@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[], ...@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
set->variant = &bitmap_ipmac; set->variant = &bitmap_ipmac;
if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) { if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
kfree(map); ip_set_free(map);
return -ENOMEM; return -ENOMEM;
} }
if (tb[IPSET_ATTR_TIMEOUT]) { if (tb[IPSET_ATTR_TIMEOUT]) {
......
...@@ -274,7 +274,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[], ...@@ -274,7 +274,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
set->variant = &bitmap_port; set->variant = &bitmap_port;
if (!init_map_port(set, map, first_port, last_port)) { if (!init_map_port(set, map, first_port, last_port)) {
kfree(map); ip_set_free(map);
return -ENOMEM; return -ENOMEM;
} }
if (tb[IPSET_ATTR_TIMEOUT]) { if (tb[IPSET_ATTR_TIMEOUT]) {
......
...@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried) ...@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried)
} }
t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
if (!t->hregion) { if (!t->hregion) {
kfree(t); ip_set_free(t);
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto out;
} }
...@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set, ...@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
} }
t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits)); t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits));
if (!t->hregion) { if (!t->hregion) {
kfree(t); ip_set_free(t);
kfree(h); kfree(h);
return -ENOMEM; return -ENOMEM;
} }
......
...@@ -2158,6 +2158,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) ...@@ -2158,6 +2158,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
err = __nf_conntrack_update(net, skb, ct, ctinfo); err = __nf_conntrack_update(net, skb, ct, ctinfo);
if (err < 0) if (err < 0)
return err; return err;
ct = nf_ct_get(skb, &ctinfo);
} }
return nf_confirm_cthelper(skb, ct, ctinfo); return nf_confirm_cthelper(skb, ct, ctinfo);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment