[NETFILTER 00/03]: Netfilter fixes

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three more patches for some nasty netfilter bugs, fixing incorrect
conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
and a missing terminating zero-byte in the nfnetlink_log prefix message.

Please apply, thanks.


 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    1 +
 net/netfilter/nfnetlink_log.c                  |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
      [NETFILTER]: nfnetlink_log: zero-terminate prefix
      [NETFILTER]: nfnetlink_log: fix crash on bridged packet

[NETFILTER 01/03]: nf_conntrack_ipv6: fix incorrect classification of IPv6 fragments as ESTABLISHED

[Patrick McHardy]

[NETFILTER]: nf_conntrack_ipv6: fix incorrect classification of IPv6 fragments as ESTABLISHED

The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.

The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5bd8638bfa97ebf5ff7765ed06fccd594108e92f
tree 8adea214d03250ab3d1babdcb84706684c550874
parent 393e32c96abe68f7aa2a399b4600dfba8b15a83b
author Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 06:53:14 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 07:15:45 +0100

 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6f19c4a..d110245 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(un
 		}
 		nf_conntrack_get(reasm->nfct);
 		(*pskb)->nfct = reasm->nfct;
+		(*pskb)->nfctinfo = reasm->nfctinfo;
 		return NF_ACCEPT;
 	}
 

[NETFILTER 02/03]: nfnetlink_log: zero-terminate prefix

[Patrick McHardy]

[NETFILTER]: nfnetlink_log: zero-terminate prefix

Userspace expects a zero-terminated string, so include the trailing
zero in the netlink message.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit fdc819454fe27437cdaac5674a18373657650068
tree 577adbfcbd3741e1538d5f943a7c7ca23172cd01
parent 5bd8638bfa97ebf5ff7765ed06fccd594108e92f
author Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 07:17:00 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 07:17:00 +0100

 net/netfilter/nfnetlink_log.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 91a0972..12f92e2 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -615,7 +615,7 @@ nfulnl_log_packet(unsigned int pf,
 
 	plen = 0;
 	if (prefix)
-		plen = strlen(prefix);
+		plen = strlen(prefix) + 1;
 
 	/* all macros expand to constant values at compile time */
 	/* FIXME: do we want to make the size calculation conditional based on

[NETFILTER 03/03]: nfnetlink_log: fix crash on bridged packet

[Patrick McHardy]

[NETFILTER]: nfnetlink_log: fix crash on bridged packet

physoutdev is only set on purely bridged packet, when nfnetlink_log is used
in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a
bridge it crashes when trying to dereference skb->nf_bridge->physoutdev.

Reported by Holger Eitzenberger <heitzenberger@astaro.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 8baa666cdecd6dbb774f0ceca9ea2738f893a02b
tree 950f54d9eec340efe42b10810994ee9f1b6887ba
parent fdc819454fe27437cdaac5674a18373657650068
author Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 08:09:06 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 06 Mar 2007 08:09:06 +0100

 net/netfilter/nfnetlink_log.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 12f92e2..5cb30eb 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -486,7 +486,7 @@ #else
 			 * for physical device (when called from ipv4) */
 			NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
 				sizeof(tmp_uint), &tmp_uint);
-			if (skb->nf_bridge) {
+			if (skb->nf_bridge && skb->nf_bridge->physoutdev) {
 				tmp_uint =
 				    htonl(skb->nf_bridge->physoutdev->ifindex);
 				NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  6 Mar 2007 08:44:01 +0100 (MET)

> Hi Dave,
> 
> following are three more patches for some nasty netfilter bugs, fixing incorrect
> conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
> and a missing terminating zero-byte in the nfnetlink_log prefix message.
> 
> Please apply, thanks.

All 3 patches applied, thank you.