Re: [PATCH] netfilter: ipv4: fix NULL dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nikolay Borisov <kernel@kyup.com>
To: 张李平 <zlpwmdx@163.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
	kaber@trash.net, davem@davemloft.net,
	Liping Zhang <liping.zhang@spreadtrum.com>
Subject: Re: [PATCH] netfilter: ipv4: fix NULL dereference
Date: Thu, 24 Mar 2016 10:45:24 +0200	[thread overview]
Message-ID: <56F3A924.2000100@kyup.com> (raw)
In-Reply-To: <54382a12.8a92.153a7ba19ff.Coremail.zlpwmdx@163.com>



On 03/24/2016 10:25 AM, 张李平 wrote:
> At 2016-03-24 16:00:02, "Nikolay Borisov" <kernel@kyup.com> wrote:
>> I've been running production kernels in production with those changes
>> and so far I haven't observed a single crash resulting from this.
> 
> Did you run the test with the CONFIG_NET_NS config enabled?

Of course, why else would I author the patches :)

> 
> 
>> Furthermore, I  believe that all the call sites of synproxy_build_ip
>> should have the skb associated with a valid tcp socket, which must have
> 
>> originated from a particular namespace.
> 
> 
> Actually, the sk_buff passed to synproxy_build_ip() are all alloced by
> alloc_skb, and was not associated with a specific tcp socket, so skb->sk 
> is always NULL. Further more, SYNPROXY target can be used to proxy
> the tcp connections which are not local, i.e. tcp sockets was located on
> other hosts. 

Admittedly I'm not using the synproxy module so that might explain why I
haven't seen crashes.

In any case you can add my:

Reviewed-by: Nikolay Borisov <kernel@kyup.com>

> 
> 
>>
>> On 03/23/2016 04:27 PM, Liping Zhang wrote:
>>> From: Liping Zhang <liping.zhang@spreadtrum.com>
>>>
>>> Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
>>> introduce the namespaceify ip_default_ttl, but sk_buff->sk maybe NULL,
>>> so sock_net(skb->sk) will dereference the NULL pointer and oops will
>>> happen.
>>>
>>> Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
>>> ---
>>>  net/bridge/netfilter/nft_reject_bridge.c |   20 ++++++++++----------
>>>  net/ipv4/netfilter/ipt_SYNPROXY.c        |   16 ++++++++++------
>>>  2 files changed, 20 insertions(+), 16 deletions(-)
>>>
>>> diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
>>> index adc8d72..77f7e7a 100644
>>> --- a/net/bridge/netfilter/nft_reject_bridge.c
>>> +++ b/net/bridge/netfilter/nft_reject_bridge.c
>>> @@ -40,7 +40,8 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
>>>  /* We cannot use oldskb->dev, it can be either bridge device (NF_BRIDGE INPUT)
>>>   * or the bridge port (NF_BRIDGE PREROUTING).
>>>   */
>>> -static void nft_reject_br_send_v4_tcp_reset(struct sk_buff *oldskb,
>>> +static void nft_reject_br_send_v4_tcp_reset(struct net *net,
>>> +					    struct sk_buff *oldskb,
>>>  					    const struct net_device *dev,
>>>  					    int hook)
>>>  {
>>> @@ -48,7 +49,6 @@ static void nft_reject_br_send_v4_tcp_reset(struct sk_buff *oldskb,
>>>  	struct iphdr *niph;
>>>  	const struct tcphdr *oth;
>>>  	struct tcphdr _oth;
>>> -	struct net *net = sock_net(oldskb->sk);
>>>  
>>>  	if (!nft_bridge_iphdr_validate(oldskb))
>>>  		return;
>>> @@ -75,7 +75,8 @@ static void nft_reject_br_send_v4_tcp_reset(struct sk_buff *oldskb,
>>>  	br_deliver(br_port_get_rcu(dev), nskb);
>>>  }
>>>  
>>> -static void nft_reject_br_send_v4_unreach(struct sk_buff *oldskb,
>>> +static void nft_reject_br_send_v4_unreach(struct net *net,
>>> +					  struct sk_buff *oldskb,
>>>  					  const struct net_device *dev,
>>>  					  int hook, u8 code)
>>>  {
>>> @@ -86,7 +87,6 @@ static void nft_reject_br_send_v4_unreach(struct sk_buff *oldskb,
>>>  	void *payload;
>>>  	__wsum csum;
>>>  	u8 proto;
>>> -	struct net *net = sock_net(oldskb->sk);
>>>  
>>>  	if (oldskb->csum_bad || !nft_bridge_iphdr_validate(oldskb))
>>>  		return;
>>> @@ -273,17 +273,17 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
>>>  	case htons(ETH_P_IP):
>>>  		switch (priv->type) {
>>>  		case NFT_REJECT_ICMP_UNREACH:
>>> -			nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
>>> -						      pkt->hook,
>>> +			nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
>>> +						      pkt->in, pkt->hook,
>>>  						      priv->icmp_code);
>>>  			break;
>>>  		case NFT_REJECT_TCP_RST:
>>> -			nft_reject_br_send_v4_tcp_reset(pkt->skb, pkt->in,
>>> -							pkt->hook);
>>> +			nft_reject_br_send_v4_tcp_reset(pkt->net, pkt->skb,
>>> +							pkt->in, pkt->hook);
>>>  			break;
>>>  		case NFT_REJECT_ICMPX_UNREACH:
>>> -			nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
>>> -						      pkt->hook,
>>> +			nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
>>> +						      pkt->in, pkt->hook,
>>>  						      nft_reject_icmp_code(priv->icmp_code));
>>>  			break;
>>>  		}
>>> diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
>>> index 7b8fbb3..6b4f501 100644
>>> --- a/net/ipv4/netfilter/ipt_SYNPROXY.c
>>> +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
>>> @@ -18,10 +18,10 @@
>>>  #include <net/netfilter/nf_conntrack_synproxy.h>
>>>  
>>>  static struct iphdr *
>>> -synproxy_build_ip(struct sk_buff *skb, __be32 saddr, __be32 daddr)
>>> +synproxy_build_ip(struct net *net, struct sk_buff *skb, __be32 saddr,
>>> +		  __be32 daddr)
>>>  {
>>>  	struct iphdr *iph;
>>> -	struct net *net = sock_net(skb->sk);
>>>  
>>>  	skb_reset_network_header(skb);
>>>  	iph = (struct iphdr *)skb_put(skb, sizeof(*iph));
>>> @@ -91,7 +91,8 @@ synproxy_send_client_synack(const struct synproxy_net *snet,
>>>  		return;
>>>  	skb_reserve(nskb, MAX_TCP_HEADER);
>>>  
>>> -	niph = synproxy_build_ip(nskb, iph->daddr, iph->saddr);
>>> +	niph = synproxy_build_ip(nf_ct_net(snet->tmpl), nskb, iph->daddr,
>>> +				 iph->saddr);
>>>  
>>>  	skb_reset_transport_header(nskb);
>>>  	nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
>>> @@ -132,7 +133,8 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
>>>  		return;
>>>  	skb_reserve(nskb, MAX_TCP_HEADER);
>>>  
>>> -	niph = synproxy_build_ip(nskb, iph->saddr, iph->daddr);
>>> +	niph = synproxy_build_ip(nf_ct_net(snet->tmpl), nskb, iph->saddr,
>>> +				 iph->daddr);
>>>  
>>>  	skb_reset_transport_header(nskb);
>>>  	nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
>>> @@ -177,7 +179,8 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
>>>  		return;
>>>  	skb_reserve(nskb, MAX_TCP_HEADER);
>>>  
>>> -	niph = synproxy_build_ip(nskb, iph->daddr, iph->saddr);
>>> +	niph = synproxy_build_ip(nf_ct_net(snet->tmpl), nskb, iph->daddr,
>>> +				 iph->saddr);
>>>  
>>>  	skb_reset_transport_header(nskb);
>>>  	nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
>>> @@ -215,7 +218,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
>>>  		return;
>>>  	skb_reserve(nskb, MAX_TCP_HEADER);
>>>  
>>> -	niph = synproxy_build_ip(nskb, iph->saddr, iph->daddr);
>>> +	niph = synproxy_build_ip(nf_ct_net(snet->tmpl), nskb, iph->saddr,
>>> +				 iph->daddr);
>>>  
>>>  	skb_reset_transport_header(nskb);
>>>  	nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
>>>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2016-03-24  8:45 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-23 14:27 [PATCH] netfilter: ipv4: fix NULL dereference Liping Zhang
2016-03-24  8:00 ` Nikolay Borisov
     [not found]   ` <54382a12.8a92.153a7ba19ff.Coremail.zlpwmdx@163.com>
2016-03-24  8:45     ` Nikolay Borisov [this message]
2016-03-24 20:16   ` Pablo Neira Ayuso
2016-03-24 20:22 ` Pablo Neira Ayuso
2016-03-25  6:38   ` Liping Zhang
2016-03-25 10:49     ` Pablo Neira Ayuso
2016-03-25  7:24   ` Liping Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56F3A924.2000100@kyup.com \
    --to=kernel@kyup.com \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=liping.zhang@spreadtrum.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=zlpwmdx@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.