提交 b3d40566 编写于 作者: D David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following batch contains netfilter fixes for your net tree, they are:

1) Fix use after free in nfnetlink when sending a batch for some
   unsupported subsystem, from Denys Fedoryshchenko.

2) Skip autoload of the nat module if no binding is specified via
   ctnetlink, from Florian Westphal.

3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
   fragmentation needed in the forwarding path, also from Florian.

4) Fix potential user after free in ip6_route_me_harder() when returning
   the error code to the upper layers, from Sergey Popovich.

5) Skip possible bogus ICMP time exceeded emitted from the router (not
   valid according to RFC) if conntrack zones are used, from Vasily Averin.

6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
   is not present, also from Vasily.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
...@@ -859,12 +859,12 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops, ...@@ -859,12 +859,12 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
return NF_STOLEN; return NF_STOLEN;
} }
#if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4) #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
static int br_nf_dev_queue_xmit(struct sk_buff *skb) static int br_nf_dev_queue_xmit(struct sk_buff *skb)
{ {
int ret; int ret;
if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) && if (skb->protocol == htons(ETH_P_IP) &&
skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
!skb_is_gso(skb)) { !skb_is_gso(skb)) {
if (br_parse_ip_options(skb)) if (br_parse_ip_options(skb))
......
...@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg) ...@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
* "Fragment Reassembly Timeout" message, per RFC792. * "Fragment Reassembly Timeout" message, per RFC792.
*/ */
if (qp->user == IP_DEFRAG_AF_PACKET || if (qp->user == IP_DEFRAG_AF_PACKET ||
(qp->user == IP_DEFRAG_CONNTRACK_IN && ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
skb_rtable(head)->rt_type != RTN_LOCAL)) (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
(skb_rtable(head)->rt_type != RTN_LOCAL)))
goto out_rcu_unlock; goto out_rcu_unlock;
......
...@@ -22,7 +22,6 @@ ...@@ -22,7 +22,6 @@
#endif #endif
#include <net/netfilter/nf_conntrack_zones.h> #include <net/netfilter/nf_conntrack_zones.h>
/* Returns new sk_buff, or NULL */
static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
{ {
int err; int err;
...@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) ...@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
err = ip_defrag(skb, user); err = ip_defrag(skb, user);
local_bh_enable(); local_bh_enable();
if (!err) if (!err) {
ip_send_check(ip_hdr(skb)); ip_send_check(ip_hdr(skb));
skb->local_df = 1;
}
return err; return err;
} }
......
...@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb) ...@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb)
.daddr = iph->daddr, .daddr = iph->daddr,
.saddr = iph->saddr, .saddr = iph->saddr,
}; };
int err;
dst = ip6_route_output(net, skb->sk, &fl6); dst = ip6_route_output(net, skb->sk, &fl6);
if (dst->error) { err = dst->error;
if (err) {
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
dst_release(dst); dst_release(dst);
return dst->error; return err;
} }
/* Drop old route. */ /* Drop old route. */
......
...@@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) ...@@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
#ifdef CONFIG_NF_NAT_NEEDED #ifdef CONFIG_NF_NAT_NEEDED
int ret; int ret;
if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
return 0;
ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
cda[CTA_NAT_DST]); cda[CTA_NAT_DST]);
if (ret < 0) if (ret < 0)
......
...@@ -256,15 +256,15 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -256,15 +256,15 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
#endif #endif
{ {
nfnl_unlock(subsys_id); nfnl_unlock(subsys_id);
kfree_skb(nskb); netlink_ack(skb, nlh, -EOPNOTSUPP);
return netlink_ack(skb, nlh, -EOPNOTSUPP); return kfree_skb(nskb);
} }
} }
if (!ss->commit || !ss->abort) { if (!ss->commit || !ss->abort) {
nfnl_unlock(subsys_id); nfnl_unlock(subsys_id);
kfree_skb(nskb); netlink_ack(skb, nlh, -EOPNOTSUPP);
return netlink_ack(skb, nlh, -EOPNOTSUPP); return kfree_skb(skb);
} }
while (skb->len >= nlmsg_total_size(0)) { while (skb->len >= nlmsg_total_size(0)) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册