[PATCH 0/2] Netfilter fixes for net

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] Netfilter fixes for net
@ 2015-04-27 18:41 Pablo Neira Ayuso
  2015-04-27 18:41 ` [PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-27 18:41 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
   due to memory corruption, from Florian Westphal.

2) Fix another crash in nf_queue when used with br_netfilter. Also from
   Florian.

Both fixes are related to new stuff that got in 4.0-rc.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit b357a364c57c940ddb932224542494363df37378:

  inet: fix possible panic in reqsk_queue_unlink() (2015-04-24 11:39:15 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 547c4b547e07dcc60874b6ef6252dd49ff74aec1:

  netfilter: bridge: fix NULL deref in physin/out ifindex helpers (2015-04-24 20:51:40 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_tables: fix wrong length for jump/goto verdicts
      netfilter: bridge: fix NULL deref in physin/out ifindex helpers

 include/linux/netfilter_bridge.h |   16 ++++++++++++++--
 net/netfilter/nf_tables_api.c    |    3 +--
 2 files changed, 15 insertions(+), 4 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts
  2015-04-27 18:41 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-04-27 18:41 ` Pablo Neira Ayuso
  2015-04-27 18:41 ` [PATCH 2/2] netfilter: bridge: fix NULL deref in physin/out ifindex helpers Pablo Neira Ayuso
  2015-04-28  3:13 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-27 18:41 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

NFT_JUMP/GOTO erronously sets length to sizeof(void *).

We then allocate insufficient memory when such element is added to a vmap.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 78af83b..ad9d11f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4340,7 +4340,6 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 	case NFT_CONTINUE:
 	case NFT_BREAK:
 	case NFT_RETURN:
-		desc->len = sizeof(data->verdict);
 		break;
 	case NFT_JUMP:
 	case NFT_GOTO:
@@ -4355,10 +4354,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 
 		chain->use++;
 		data->verdict.chain = chain;
-		desc->len = sizeof(data);
 		break;
 	}
 
+	desc->len = sizeof(data->verdict);
 	desc->type = NFT_DATA_VERDICT;
 	return 0;
 }
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] netfilter: bridge: fix NULL deref in physin/out ifindex helpers
  2015-04-27 18:41 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-04-27 18:41 ` [PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts Pablo Neira Ayuso
@ 2015-04-27 18:41 ` Pablo Neira Ayuso
  2015-04-28  3:13 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-27 18:41 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

Might not have an outdev yet. We'll oops when iface goes down while skbs
are still nfqueue'd:

RIP: 0010:[<ffffffff81422a2f>]  [<ffffffff81422a2f>] dev_cmp+0x4f/0x80
nfqnl_rcv_dev_event+0xe2/0x150
notifier_call_chain+0x53/0xa0

Fixes: c737b7c4510026 ("netfilter: bridge: add helpers for fetching physin/outdev")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter_bridge.h |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index ab8f76d..f2fdb5a 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -39,12 +39,24 @@ static inline void br_drop_fake_rtable(struct sk_buff *skb)
 
 static inline int nf_bridge_get_physinif(const struct sk_buff *skb)
 {
-	return skb->nf_bridge ? skb->nf_bridge->physindev->ifindex : 0;
+	struct nf_bridge_info *nf_bridge;
+
+	if (skb->nf_bridge == NULL)
+		return 0;
+
+	nf_bridge = skb->nf_bridge;
+	return nf_bridge->physindev ? nf_bridge->physindev->ifindex : 0;
 }
 
 static inline int nf_bridge_get_physoutif(const struct sk_buff *skb)
 {
-	return skb->nf_bridge ? skb->nf_bridge->physoutdev->ifindex : 0;
+	struct nf_bridge_info *nf_bridge;
+
+	if (skb->nf_bridge == NULL)
+		return 0;
+
+	nf_bridge = skb->nf_bridge;
+	return nf_bridge->physoutdev ? nf_bridge->physoutdev->ifindex : 0;
 }
 
 static inline struct net_device *
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2015-04-27 18:41 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-04-27 18:41 ` [PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts Pablo Neira Ayuso
  2015-04-27 18:41 ` [PATCH 2/2] netfilter: bridge: fix NULL deref in physin/out ifindex helpers Pablo Neira Ayuso
@ 2015-04-28  3:13 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-04-28  3:13 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Apr 2015 20:41:55 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
>    due to memory corruption, from Florian Westphal.
> 
> 2) Fix another crash in nf_queue when used with br_netfilter. Also from
>    Florian.
> 
> Both fixes are related to new stuff that got in 4.0-rc.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-04-28  3:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-27 18:41 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-04-27 18:41 ` [PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts Pablo Neira Ayuso
2015-04-27 18:41 ` [PATCH 2/2] netfilter: bridge: fix NULL deref in physin/out ifindex helpers Pablo Neira Ayuso
2015-04-28  3:13 ` [PATCH 0/2] Netfilter fixes for net David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).