Commit 7e09dccd07518729fe3cf586beb83acffa2e64ca
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains two bugfixes for your net tree, they are: 1) Validate netlink group from nfnetlink to avoid an out of bound array access. This should only happen with superuser priviledges though. Discovered by Andrey Ryabinin using trinity. 2) Don't push ethernet header before calling the netfilter output hook for multicast traffic, this breaks ebtables since it expects to see skb->data pointing to the network header, patch from Linus Luessing. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 2 changed files Side-by-side Diff
net/bridge/br_multicast.c
... | ... | @@ -813,10 +813,9 @@ |
813 | 813 | return; |
814 | 814 | |
815 | 815 | if (port) { |
816 | - __skb_push(skb, sizeof(struct ethhdr)); | |
817 | 816 | skb->dev = port->dev; |
818 | 817 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, |
819 | - dev_queue_xmit); | |
818 | + br_dev_queue_push_xmit); | |
820 | 819 | } else { |
821 | 820 | br_multicast_select_own_querier(br, ip, skb); |
822 | 821 | netif_rx(skb); |
net/netfilter/nfnetlink.c
... | ... | @@ -47,6 +47,8 @@ |
47 | 47 | [NFNLGRP_CONNTRACK_EXP_NEW] = NFNL_SUBSYS_CTNETLINK_EXP, |
48 | 48 | [NFNLGRP_CONNTRACK_EXP_UPDATE] = NFNL_SUBSYS_CTNETLINK_EXP, |
49 | 49 | [NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP, |
50 | + [NFNLGRP_NFTABLES] = NFNL_SUBSYS_NFTABLES, | |
51 | + [NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT, | |
50 | 52 | }; |
51 | 53 | |
52 | 54 | void nfnl_lock(__u8 subsys_id) |
53 | 55 | |
... | ... | @@ -464,8 +466,13 @@ |
464 | 466 | static int nfnetlink_bind(int group) |
465 | 467 | { |
466 | 468 | const struct nfnetlink_subsystem *ss; |
467 | - int type = nfnl_group2type[group]; | |
469 | + int type; | |
468 | 470 | |
471 | + if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX) | |
472 | + return -EINVAL; | |
473 | + | |
474 | + type = nfnl_group2type[group]; | |
475 | + | |
469 | 476 | rcu_read_lock(); |
470 | 477 | ss = nfnetlink_get_subsys(type); |
471 | 478 | rcu_read_unlock(); |
... | ... | @@ -513,6 +520,9 @@ |
513 | 520 | static int __init nfnetlink_init(void) |
514 | 521 | { |
515 | 522 | int i; |
523 | + | |
524 | + for (i = NFNLGRP_NONE + 1; i <= NFNLGRP_MAX; i++) | |
525 | + BUG_ON(nfnl_group2type[i] == NFNL_SUBSYS_NONE); | |
516 | 526 | |
517 | 527 | for (i=0; i<NFNL_SUBSYS_COUNT; i++) |
518 | 528 | mutex_init(&table[i].mutex); |