* [NETFILTER -stable 00/03]: 2.6.24 regression fixes
@ 2008-02-25 14:01 Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data Patrick McHardy
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Patrick McHardy @ 2008-02-25 14:01 UTC (permalink / raw)
To: stable; +Cc: Patrick McHardy, netfilter-devel, davem
These patches fix some netfilter regressions in 2.6.24 introduced by the
removal of double skb pointers:
- a BUG when enlarging packets queued to userspace
- inverted error checking of skb_make_writable in bridge netfilter
- use of incorrect return codes after skb_make_writable errors in
bridge netfilter
Please apply, thanks.
net/bridge/netfilter/ebt_dnat.c | 4 ++--
net/bridge/netfilter/ebt_redirect.c | 4 ++--
net/bridge/netfilter/ebt_snat.c | 4 ++--
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_queue.c | 12 +++++++-----
net/ipv6/netfilter/ip6_queue.c | 10 ++++++----
net/netfilter/nfnetlink_queue.c | 10 ++++++----
7 files changed, 26 insertions(+), 20 deletions(-)
Patrick McHardy (3):
[NETFILTER]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
[NETFILTER]: Fix incorrect use of skb_make_writable
[NETFILTER]: fix ebtable targets return
^ permalink raw reply [flat|nested] 5+ messages in thread
* [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
2008-02-25 14:01 [NETFILTER -stable 00/03]: 2.6.24 regression fixes Patrick McHardy
@ 2008-02-25 14:01 ` Patrick McHardy
2008-02-25 14:06 ` Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 02/03]: Fix incorrect use of skb_make_writable Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 03/03]: fix ebtable targets return Patrick McHardy
2 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2008-02-25 14:01 UTC (permalink / raw)
To: stable; +Cc: Patrick McHardy, netfilter-devel, davem
[NETFILTER]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
Upstream commit e2b58a67:
As reported by Tomas Simonaitis <tomas.simonaitis@gmail.com>, inserting new
data in skbs queued over {ip,ip6,nfnetlink}_queue triggers a SKB_LINEAR_ASSERT
in skb_put().
Going back through the git history, it seems this bug is present since at
least 2.6.12-rc2, probably even since the removal of skb_linearize() for
netfilter.
Linearize non-linear skbs through skb_copy_expand() when enlarging them.
Tested by Thomas, fixes bugzilla #9933.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 2e1a9528d31fda88923d6615eb4933df07f59762
tree 46cc8d288a33e945bec29f529a8f56d47c1b37bd
parent c78cb439103bf7deba5feb64921398d0ff93179a
author Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:16 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:16 +0100
net/ipv4/netfilter/ip_queue.c | 12 +++++++-----
net/ipv6/netfilter/ip6_queue.c | 10 ++++++----
net/netfilter/nfnetlink_queue.c | 10 ++++++----
3 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 14d64a3..16d0fb3 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -336,8 +336,8 @@ static int
ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
{
int diff;
- int err;
struct iphdr *user_iph = (struct iphdr *)v->payload;
+ struct sk_buff *nskb;
if (v->data_len < sizeof(*user_iph))
return 0;
@@ -349,14 +349,16 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
if (v->data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- err = pskb_expand_head(e->skb, 0,
+ nskb = skb_copy_expand(e->skb, 0,
diff - skb_tailroom(e->skb),
GFP_ATOMIC);
- if (err) {
+ if (!nskb) {
printk(KERN_WARNING "ip_queue: error "
- "in mangle, dropping packet: %d\n", -err);
- return err;
+ "in mangle, dropping packet\n");
+ return -ENOMEM;
}
+ kfree_skb(e->skb);
+ e->skb = nskb;
}
skb_put(e->skb, diff);
}
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index e273605..710a04f 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -333,8 +333,8 @@ static int
ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
{
int diff;
- int err;
struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload;
+ struct sk_buff *nskb;
if (v->data_len < sizeof(*user_iph))
return 0;
@@ -346,14 +346,16 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
if (v->data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- err = pskb_expand_head(e->skb, 0,
+ nskb = skb_copy_expand(e->skb, 0,
diff - skb_tailroom(e->skb),
GFP_ATOMIC);
- if (err) {
+ if (!nskb) {
printk(KERN_WARNING "ip6_queue: OOM "
"in mangle, dropping packet\n");
- return err;
+ return -ENOMEM;
}
+ kfree_skb(e->skb);
+ e->skb = nskb;
}
skb_put(e->skb, diff);
}
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 3ceeffc..561c974 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -616,8 +616,8 @@ err_out_put:
static int
nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
{
+ struct sk_buff *nskb;
int diff;
- int err;
diff = data_len - e->skb->len;
if (diff < 0) {
@@ -627,14 +627,16 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
if (data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- err = pskb_expand_head(e->skb, 0,
+ nskb = skb_copy_expand(e->skb, 0,
diff - skb_tailroom(e->skb),
GFP_ATOMIC);
- if (err) {
+ if (!nskb) {
printk(KERN_WARNING "nf_queue: OOM "
"in mangle, dropping packet\n");
- return err;
+ return -ENOMEM;
}
+ kfree_skb(e->skb);
+ e->skb = nskb;
}
skb_put(e->skb, diff);
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [NETFILTER -stable 02/03]: Fix incorrect use of skb_make_writable
2008-02-25 14:01 [NETFILTER -stable 00/03]: 2.6.24 regression fixes Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data Patrick McHardy
@ 2008-02-25 14:01 ` Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 03/03]: fix ebtable targets return Patrick McHardy
2 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2008-02-25 14:01 UTC (permalink / raw)
To: stable; +Cc: Patrick McHardy, netfilter-devel, davem
[NETFILTER]: Fix incorrect use of skb_make_writable
Upstream commit eb1197bc0:
http://bugzilla.kernel.org/show_bug.cgi?id=9920
The function skb_make_writable returns true or false.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 3040fdefd830230ef6c2515715755f312a24f814
tree 05308bc27435162f4b2060158ee87abf786e8d0e
parent 2e1a9528d31fda88923d6615eb4933df07f59762
author Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:17 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:17 +0100
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/ipv4/netfilter/arpt_mangle.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 74262e9..4fa9ecf 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -20,7 +20,7 @@ static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr,
{
struct ebt_nat_info *info = (struct ebt_nat_info *)data;
- if (skb_make_writable(skb, 0))
+ if (!skb_make_writable(skb, 0))
return NF_DROP;
memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN);
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 422cb83..e322f10 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -21,7 +21,7 @@ static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr,
{
struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
- if (skb_make_writable(skb, 0))
+ if (!skb_make_writable(skb, 0))
return NF_DROP;
if (hooknr != NF_BR_BROUTING)
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 425ac92..146e889 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -22,7 +22,7 @@ static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr,
{
struct ebt_nat_info *info = (struct ebt_nat_info *) data;
- if (skb_make_writable(skb, 0))
+ if (!skb_make_writable(skb, 0))
return NF_DROP;
memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 45fa4e2..3f4222b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -19,7 +19,7 @@ target(struct sk_buff *skb,
unsigned char *arpptr;
int pln, hln;
- if (skb_make_writable(skb, skb->len))
+ if (!skb_make_writable(skb, skb->len))
return NF_DROP;
arp = arp_hdr(skb);
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [NETFILTER -stable 03/03]: fix ebtable targets return
2008-02-25 14:01 [NETFILTER -stable 00/03]: 2.6.24 regression fixes Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 02/03]: Fix incorrect use of skb_make_writable Patrick McHardy
@ 2008-02-25 14:01 ` Patrick McHardy
2 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2008-02-25 14:01 UTC (permalink / raw)
To: stable; +Cc: Patrick McHardy, netfilter-devel, davem
[NETFILTER]: fix ebtable targets return
Upstream commit 1b04ab459:
The function ebt_do_table doesn't take NF_DROP as a verdict from the targets.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit a07e4d33874c30069459f82917b2d334e5c58125
tree 91dda0811ebb02f60ba50c447834bb2bdb781cf6
parent 3040fdefd830230ef6c2515715755f312a24f814
author Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:17 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 25 Feb 2008 14:51:17 +0100
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 4fa9ecf..1024511 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -21,7 +21,7 @@ static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr,
struct ebt_nat_info *info = (struct ebt_nat_info *)data;
if (!skb_make_writable(skb, 0))
- return NF_DROP;
+ return EBT_DROP;
memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN);
return info->target;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index e322f10..88afc34 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -22,7 +22,7 @@ static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr,
struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
if (!skb_make_writable(skb, 0))
- return NF_DROP;
+ return EBT_DROP;
if (hooknr != NF_BR_BROUTING)
memcpy(eth_hdr(skb)->h_dest,
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 146e889..4c5a5a9 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -23,7 +23,7 @@ static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr,
struct ebt_nat_info *info = (struct ebt_nat_info *) data;
if (!skb_make_writable(skb, 0))
- return NF_DROP;
+ return EBT_DROP;
memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN);
if (!(info->target & NAT_ARP_BIT) &&
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
2008-02-25 14:01 ` [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data Patrick McHardy
@ 2008-02-25 14:06 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2008-02-25 14:06 UTC (permalink / raw)
To: stable; +Cc: netfilter-devel, davem
Patrick McHardy wrote:
> [NETFILTER]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
>
> Upstream commit e2b58a67:
>
> As reported by Tomas Simonaitis <tomas.simonaitis@gmail.com>, inserting new
> data in skbs queued over {ip,ip6,nfnetlink}_queue triggers a SKB_LINEAR_ASSERT
> in skb_put().
>
> Going back through the git history, it seems this bug is present since at
> least 2.6.12-rc2, probably even since the removal of skb_linearize() for
> netfilter.
Just to avoid confusion: this part of the changelog is wrong, I initialy
didn't realize this was just introduced recently and forgot to edit it
out for -stable.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-02-25 14:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-25 14:01 [NETFILTER -stable 00/03]: 2.6.24 regression fixes Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 01/03]: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data Patrick McHardy
2008-02-25 14:06 ` Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 02/03]: Fix incorrect use of skb_make_writable Patrick McHardy
2008-02-25 14:01 ` [NETFILTER -stable 03/03]: fix ebtable targets return Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.