Re: Patch "netfilter: ipv6: nf_defrag: accept duplicate fragments again" has been added to the 4.19-stable tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: Patch "netfilter: ipv6: nf_defrag: accept duplicate fragments again" has been added to the 4.19-stable tree
       [not found] <20190705140421.28F82218D2@mail.kernel.org>
@ 2019-07-05 16:03 ` Greg KH
  0 siblings, 0 replies; only message in thread
From: Greg KH @ 2019-07-05 16:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: gnault, stable-commits

On Fri, Jul 05, 2019 at 10:04:20AM -0400, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     netfilter: ipv6: nf_defrag: accept duplicate fragments again
> 
> to the 4.19-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch
> and it can be found in the queue-4.19 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> 
> commit 447d05e723b06f8aa1a9cba0f7b4c0029924663c
> Author: Guillaume Nault <gnault@redhat.com>
> Date:   Thu Jun 6 18:04:00 2019 +0200
> 
>     netfilter: ipv6: nf_defrag: accept duplicate fragments again
>     
>     [ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
>     
>     When fixing the skb leak introduced by the conversion to rbtree, I
>     forgot about the special case of duplicate fragments. The condition
>     under the 'insert_error' label isn't effective anymore as
>     nf_ct_frg6_gather() doesn't override the returned value anymore. So
>     duplicate fragments now get NF_DROP verdict.
>     
>     To accept duplicate fragments again, handle them specially as soon as
>     inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
>     translate to NF_STOLEN verdict, like any accepted fragment. However,
>     such packets don't carry any new information and aren't queued, so we
>     just drop them immediately.
>     
>     Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
>     Signed-off-by: Guillaume Nault <gnault@redhat.com>
>     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>

Why not add this to 5.1.y as well?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-07-05 16:03 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20190705140421.28F82218D2@mail.kernel.org>
2019-07-05 16:03 ` Patch "netfilter: ipv6: nf_defrag: accept duplicate fragments again" has been added to the 4.19-stable tree Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.