Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 7e09dccd07518729fe3cf586beb83acffa2e64ca

Authored by David S. Miller
2 parents c857781900 f0b4eeced5
Exists in ti-lsk-linux-4.1.y and in 10 other branches dlt-processor-sdk-linux-03.00.00.04, processor-sdk-linux-02.00.01, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains two bugfixes for your net tree, they are:

1) Validate netlink group from nfnetlink to avoid an out of bound array
   access. This should only happen with superuser priviledges though.
   Discovered by Andrey Ryabinin using trinity.

2) Don't push ethernet header before calling the netfilter output hook
   for multicast traffic, this breaks ebtables since it expects to see
   skb->data pointing to the network header, patch from Linus Luessing.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 2 changed files Side-by-side Diff

net/bridge/br_multicast.c
Diff comments   View file @ 7e09dcc
... ... @@ -813,10 +813,9 @@
813 813 return;
814 814  
815 815 if (port) {
816   - __skb_push(skb, sizeof(struct ethhdr));
817 816 skb->dev = port->dev;
818 817 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
819   - dev_queue_xmit);
  818 + br_dev_queue_push_xmit);
820 819 } else {
821 820 br_multicast_select_own_querier(br, ip, skb);
822 821 netif_rx(skb);
net/netfilter/nfnetlink.c
Diff comments   View file @ 7e09dcc
... ... @@ -47,6 +47,8 @@
47 47 [NFNLGRP_CONNTRACK_EXP_NEW] = NFNL_SUBSYS_CTNETLINK_EXP,
48 48 [NFNLGRP_CONNTRACK_EXP_UPDATE] = NFNL_SUBSYS_CTNETLINK_EXP,
49 49 [NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP,
  50 + [NFNLGRP_NFTABLES] = NFNL_SUBSYS_NFTABLES,
  51 + [NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT,
50 52 };
51 53  
52 54 void nfnl_lock(__u8 subsys_id)
53 55  
... ... @@ -464,8 +466,13 @@
464 466 static int nfnetlink_bind(int group)
465 467 {
466 468 const struct nfnetlink_subsystem *ss;
467   - int type = nfnl_group2type[group];
  469 + int type;
468 470  
  471 + if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
  472 + return -EINVAL;
  473 +
  474 + type = nfnl_group2type[group];
  475 +
469 476 rcu_read_lock();
470 477 ss = nfnetlink_get_subsys(type);
471 478 rcu_read_unlock();
... ... @@ -513,6 +520,9 @@
513 520 static int __init nfnetlink_init(void)
514 521 {
515 522 int i;
  523 +
  524 + for (i = NFNLGRP_NONE + 1; i <= NFNLGRP_MAX; i++)
  525 + BUG_ON(nfnl_group2type[i] == NFNL_SUBSYS_NONE);
516 526  
517 527 for (i=0; i<NFNL_SUBSYS_COUNT; i++)
518 528 mutex_init(&table[i].mutex);