From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Guillaume Nault <gnault@redhat.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 09/21] netfilter: ipv6: nf_defrag: accept duplicate fragments again
Date: Wed, 26 Jun 2019 20:41:09 -0400 [thread overview]
Message-ID: <20190627004122.21671-9-sashal@kernel.org> (raw)
In-Reply-To: <20190627004122.21671-1-sashal@kernel.org>
From: Guillaume Nault <gnault@redhat.com>
[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.
To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.
Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index e6114a6710e0..0b53d1907e4a 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -264,8 +264,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
prev = fq->q.fragments_tail;
err = inet_frag_queue_insert(&fq->q, skb, offset, end);
- if (err)
+ if (err) {
+ if (err == IPFRAG_DUP) {
+ /* No error for duplicates, pretend they got queued. */
+ kfree_skb(skb);
+ return -EINPROGRESS;
+ }
goto insert_error;
+ }
if (dev)
fq->iif = dev->ifindex;
@@ -303,8 +309,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
return -EINPROGRESS;
insert_error:
- if (err == IPFRAG_DUP)
- goto err;
inet_frag_kill(&fq->q);
err:
skb_dst_drop(skb);
--
2.20.1
next prev parent reply other threads:[~2019-06-27 0:44 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-27 0:41 [PATCH AUTOSEL 4.9 01/21] Input: elantech - enable middle button support on 2 ThinkPads Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 02/21] samples, bpf: fix to change the buffer size for read() Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 03/21] staging:iio:ad7150: fix threshold mode config bit Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 04/21] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 05/21] mac80211: free peer keys before vif down in mesh Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 06/21] mwifiex: Fix possible buffer overflows at parsing bss descriptor Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 07/21] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 08/21] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Sasha Levin
2019-06-27 0:41 ` Sasha Levin [this message]
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 10/21] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 11/21] can: mcp251x: add support for mcp25625 Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 12/21] Input: imx_keypad - make sure keyboard can always wake up system Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 13/21] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy Sasha Levin
2019-06-27 0:41 ` Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 14/21] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 15/21] ARM: davinci: da850-evm: call regulator_has_full_constraints() Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 16/21] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 17/21] mac80211: only warn once on chanctx_conf being NULL Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 18/21] md: fix for divide error in status_resync Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 19/21] bnx2x: Check if transceiver implements DDM before access Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 20/21] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 21/21] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190627004122.21671-9-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=gnault@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.