From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
davem@davemloft.net, tgraf@suug.ch,
Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
"Randy.Dunlap" <rdunlap@xenotime.net>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
Subject: [PATCH 02/08] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
Date: Fri, 24 Mar 2006 20:10:01 -0800 [thread overview]
Message-ID: <20060325041001.GC16955@kroah.com> (raw)
In-Reply-To: <20060325040852.GA16955@kroah.com>
From: "David S. Miller" <davem@davemloft.net>
The size of the skb carrying the netlink message is not
equivalent to the length of the actual netlink message
due to padding. ip_queue matches the length of the payload
against the original packet size to determine if packet
mangling is desired, due to the above wrong assumption
arbitary packets may not be mangled depening on their
original size.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/netfilter/ip_queue.c | 2 +-
net/ipv6/netfilter/ip6_queue.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c
+++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c
@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb)
write_unlock_bh(&queue_lock);
status = ipq_receive_peer(NLMSG_DATA(nlh), type,
- skblen - NLMSG_LENGTH(0));
+ nlmsglen - NLMSG_LENGTH(0));
if (status < 0)
RCV_SKB_FAIL(status);
--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c
+++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c
@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb)
write_unlock_bh(&queue_lock);
status = ipq_receive_peer(NLMSG_DATA(nlh), type,
- skblen - NLMSG_LENGTH(0));
+ nlmsglen - NLMSG_LENGTH(0));
if (status < 0)
RCV_SKB_FAIL(status);
next prev parent reply other threads:[~2006-03-25 4:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-25 4:08 [00/08] 2.6.15.7 -stable review Greg KH
2006-03-25 4:09 ` [PATCH 01/08] IB/srp: Don't send task management commands after target removal Greg KH
2006-03-25 4:10 ` Greg KH [this message]
2006-03-25 4:10 ` [PATCH 03/08] NET: compat ifconf: fix limits Greg KH
2006-03-25 4:10 ` [PATCH 04/08] cramfs mounts provide corrupted content since 2.6.15 Greg KH
2006-03-25 4:11 ` [PATCH 05/08] Kconfig: VIDEO_DECODER must select FW_LOADER Greg KH
2006-03-25 13:21 ` Mauro Carvalho Chehab
2006-03-25 4:11 ` [PATCH 06/08] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242) Greg KH
2006-03-25 4:11 ` [PATCH 07/08] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated Greg KH
2006-03-25 4:12 ` [PATCH 08/08] Fix ext2 readdir f_pos re-validation logic Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060325041001.GC16955@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=tgraf@suug.ch \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox