Commit cba85b532e4aabdb97f44c18987d45141fd93faa
Committed by
David S. Miller
David S. Miller
1 parent
f682cefa5a
netfilter: fix export secctx error handling
In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces instead of the secmark. That patch introduced the use of security_secid_to_secctx() which may return a non-zero value on error. In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no security modules. Thus, security_secid_to_secctx() returns a negative value that results in the breakage of the /proc and `conntrack -L' outputs. To fix this, we skip the inclusion of secctx if the aforementioned function fails. This patch also fixes the dynamic netlink message size calculation if security_secid_to_secctx() returns an error, since its logic is also wrong. This problem exists in Linux kernel >= 2.6.37. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 3 changed files with 16 additions and 13 deletions Side-by-side Diff
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
net/netfilter/nf_conntrack_netlink.c
| ... | ... | @@ -254,7 +254,7 @@ |
| 254 | 254 | |
| 255 | 255 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); |
| 256 | 256 | if (ret) |
| 257 | - return ret; | |
| 257 | + return 0; | |
| 258 | 258 | |
| 259 | 259 | ret = -1; |
| 260 | 260 | nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); |
| 261 | 261 | |
| 262 | 262 | |
| 263 | 263 | |
| 264 | 264 | |
| ... | ... | @@ -453,16 +453,22 @@ |
| 453 | 453 | ; |
| 454 | 454 | } |
| 455 | 455 | |
| 456 | -#ifdef CONFIG_NF_CONNTRACK_SECMARK | |
| 457 | -static int ctnetlink_nlmsg_secctx_size(const struct nf_conn *ct) | |
| 456 | +static inline int | |
| 457 | +ctnetlink_secctx_size(const struct nf_conn *ct) | |
| 458 | 458 | { |
| 459 | - int len; | |
| 459 | +#ifdef CONFIG_NF_CONNTRACK_SECMARK | |
| 460 | + int len, ret; | |
| 460 | 461 | |
| 461 | - security_secid_to_secctx(ct->secmark, NULL, &len); | |
| 462 | + ret = security_secid_to_secctx(ct->secmark, NULL, &len); | |
| 463 | + if (ret) | |
| 464 | + return 0; | |
| 462 | 465 | |
| 463 | - return sizeof(char) * len; | |
| 464 | -} | |
| 466 | + return nla_total_size(0) /* CTA_SECCTX */ | |
| 467 | + + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ | |
| 468 | +#else | |
| 469 | + return 0; | |
| 465 | 470 | #endif |
| 471 | +} | |
| 466 | 472 | |
| 467 | 473 | static inline size_t |
| 468 | 474 | ctnetlink_nlmsg_size(const struct nf_conn *ct) |
| ... | ... | @@ -479,10 +485,7 @@ |
| 479 | 485 | + nla_total_size(0) /* CTA_PROTOINFO */ |
| 480 | 486 | + nla_total_size(0) /* CTA_HELP */ |
| 481 | 487 | + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ |
| 482 | -#ifdef CONFIG_NF_CONNTRACK_SECMARK | |
| 483 | - + nla_total_size(0) /* CTA_SECCTX */ | |
| 484 | - + nla_total_size(ctnetlink_nlmsg_secctx_size(ct)) /* CTA_SECCTX_NAME */ | |
| 485 | -#endif | |
| 488 | + + ctnetlink_secctx_size(ct) | |
| 486 | 489 | #ifdef CONFIG_NF_NAT_NEEDED |
| 487 | 490 | + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ |
| 488 | 491 | + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ |