1. 13 Mar, 2007 10 commits
    • Patrick McHardy's avatar
      nfnetlink_log: zero-terminate prefix · d00aff44
      Patrick McHardy authored
      [NETFILTER]: nfnetlink_log: zero-terminate prefix
      
      Userspace expects a zero-terminated string, so include the trailing
      zero in the netlink message.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d00aff44
    • Patrick McHardy's avatar
      nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED · 868f0120
      Patrick McHardy authored
      [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
      
      The individual fragments of a packet reassembled by conntrack have the
      conntrack reference from the reassembled packet attached, but nfctinfo
      is not copied. This leaves it initialized to 0, which unfortunately is
      the value of IP_CT_ESTABLISHED.
      
      The result is that all IPv6 fragments are tracked as ESTABLISHED,
      allowing them to bypass a usual ruleset which accepts ESTABLISHED
      packets early.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      868f0120
    • Yasuyuki Kozakai's avatar
      ip6_route_me_harder should take into account mark · 1742d4d4
      Yasuyuki Kozakai authored
      [NETFILTER]: ip6_route_me_harder should take into account mark
      Signed-off-by: default avatarYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1742d4d4
    • Michal Miroslaw's avatar
      nfnetlink_log: fix possible NULL pointer dereference · edc34643
      Michal Miroslaw authored
      [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
      
      Eliminate possible NULL pointer dereference in nfulnl_recv_config().
      Signed-off-by: default avatarMichal Miroslaw <mirq-linux@rere.qmqm.pl>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      edc34643
    • Micha Mirosaw's avatar
      nfnetlink_log: fix NULL pointer dereference · ce51319b
      Micha Mirosaw authored
      [NETFILTER]: nfnetlink_log: fix NULL pointer dereference
      
      Fix the nasty NULL dereference on multiple packets per netlink message.
      
      BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
       printing eip:
      f8a4b3bf
      *pde = 00000000
      Oops: 0002 [#1]
      SMP
      Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
      _ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
      pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
      p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
      cd cdrom
      CPU:    0
      EIP:    0060:[<f8a4b3bf>]    Not tainted VLI
      EFLAGS: 00010206   (2.6.20 #5)
      EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
      eax: 00000000   ebx: f2b5cbc0   ecx: c03f5f54   edx: c03f4000
      esi: f2b5cbc8   edi: c03f5f54   ebp: f8a4b3ec   esp: c03f5f30
      ds: 007b   es: 007b   ss: 0068
      Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
      Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
             c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
             c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
      Call Trace:
       [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
       [<c012af49>] run_timer_softirq+0x10a/0x164
       [<c0126932>] __do_softirq+0x60/0xba
       [<c01269bd>] do_softirq+0x31/0x35
       [<c0104f6e>] do_IRQ+0x62/0x74
       [<c01036cb>] common_interrupt+0x23/0x28
       [<c0101018>] default_idle+0x0/0x3f
       [<c0101045>] default_idle+0x2d/0x3f
       [<c01010fa>] cpu_idle+0xa0/0xb9
       [<c03fb7f5>] start_kernel+0x1a8/0x1ac
       [<c03fb293>] unknown_bootoption+0x0/0x181
       =======================
      Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
       31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
       08 9a 84
      EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
       <0>Kernel panic - not syncing: Fatal exception in interrupt
       <0>Rebooting in 5 seconds..
      
      Panic no more!
      Signed-off-by: default avatarMicha Mirosaw <mirq-linux@rere.qmqm.pl>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      ce51319b
    • Patrick McHardy's avatar
      nfnetlink_log: fix use after free · 08bfad45
      Patrick McHardy authored
      [NETFILTER]: nfnetlink_log: fix use after free
      
      Paranoia: instance_put() might have freed the inst pointer when we
      spin_unlock_bh().
      Signed-off-by: default avatarMichal Miroslaw <mirq-linux@rere.qmqm.pl>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      08bfad45
    • Patrick McHardy's avatar
      nfnetlink_log: fix reference leak · 752d2d17
      Patrick McHardy authored
      [NETFILTER]: nfnetlink_log: fix reference leak
      
      Stop reference leaking in nfulnl_log_packet(). If we start a timer we
      are already taking another reference.
      Signed-off-by: default avatarMichal Miroslaw <mirq-linux@rere.qmqm.pl>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      752d2d17
    • Patrick McHardy's avatar
      tcp conntrack: accept SYN|URG as valid · 23dfe33b
      Patrick McHardy authored
      [NETFILTER]: tcp conntrack: accept SYN|URG as valid
      
      Some stacks apparently send packets with SYN|URG set. Linux accepts
      these packets, so TCP conntrack should to.
      
      Pointed out by Martijn Posthuma <posthuma@sangine.com>.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      23dfe33b
    • Patrick McHardy's avatar
      nf_conntrack/nf_nat: fix incorrect config ifdefs · 51248d46
      Patrick McHardy authored
      [NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs
      
      The nf_conntrack_netlink config option is named CONFIG_NF_CT_NETLINK,
      but multiple files use CONFIG_IP_NF_CONNTRACK_NETLINK or
      CONFIG_NF_CONNTRACK_NETLINK for ifdefs.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      51248d46
    • Patrick McHardy's avatar
      conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops · 48c0c8eb
      Patrick McHardy authored
      [NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops
      
      Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
      
      - unconfirmed entries can not be killed manually, they are removed on
        confirmation or final destruction of the conntrack entry, which means
        we might iterate forever without making forward progress.
      
        This can happen in combination with the conntrack event cache, which
        holds a reference to the conntrack entry, which is only released when
        the packet makes it all the way through the stack or a different
        packet is handled.
      
      - taking references to an unconfirmed entry and using it outside the
        locked section doesn't work, the list entries are not refcounted and
        another CPU might already be waiting to destroy the entry
      
      What the code really wants to do is make sure the references of the hash
      table to the selected conntrack entries are released, so they will be
      destroyed once all references from skbs and the event cache are dropped.
      
      Since unconfirmed entries haven't even entered the hash yet, simply mark
      them as dying and skip confirmation based on that.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      48c0c8eb
  2. 09 Mar, 2007 30 commits