From: Eric W. Biederman <[EMAIL PROTECTED]> - unquoted Before I can enable rtnetlink to work in all network namespaces I need to be certain that something won't break. So this patch deliberately disables all of the methods and when they are audited this extra check can be disabled.
Signed-off-by: Eric W. Biederman <[EMAIL PROTECTED]> --- net/bridge/br_netlink.c | 9 +++++++++ net/core/fib_rules.c | 7 +++++++ net/core/neighbour.c | 18 ++++++++++++++++++ net/core/rtnetlink.c | 13 +++++++++++++ net/decnet/dn_dev.c | 12 ++++++++++++ net/decnet/dn_fib.c | 8 ++++++++ net/decnet/dn_route.c | 8 ++++++++ net/decnet/dn_rules.c | 5 +++++ net/decnet/dn_table.c | 4 ++++ net/ipv4/devinet.c | 12 ++++++++++++ net/ipv4/fib_frontend.c | 12 ++++++++++++ net/ipv4/fib_rules.c | 5 +++++ net/ipv6/addrconf.c | 31 +++++++++++++++++++++++++++++++ net/ipv6/fib6_rules.c | 5 +++++ net/ipv6/ip6_fib.c | 4 ++++ net/ipv6/route.c | 12 ++++++++++++ net/sched/act_api.c | 8 ++++++++ net/sched/cls_api.c | 8 ++++++++ net/sched/sch_api.c | 20 ++++++++++++++++++++ 19 files changed, 201 insertions(+), 0 deletions(-) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 119b97d..85165a1 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -14,6 +14,7 @@ #include <linux/rtnetlink.h> #include <net/netlink.h> #include <net/net_namespace.h> +#include <net/sock.h> #include "br_private.h" static inline size_t br_nlmsg_size(void) @@ -104,9 +105,13 @@ errout: */ static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; struct net_device *dev; int idx; + if (!net_eq(net, init_net())) + return 0; + read_lock(&per_net(dev_base_lock, init_net())); for (dev = per_net(dev_base, init_net()), idx = 0; dev; dev = dev->next) { /* not a bridge port */ @@ -133,12 +138,16 @@ skip: */ static int br_rtm_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct ifinfomsg *ifm; struct nlattr *protinfo; struct net_device *dev; struct net_bridge_port *p; u8 new_state; + if (!net_eq(net, init_net())) + return -EINVAL; + if (nlmsg_len(nlh) < sizeof(*ifm)) return -EINVAL; diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 2fa2708..00b4148 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c @@ -163,6 +163,9 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL; + if (!net_eq(net, init_net())) + return -EINVAL; + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; @@ -244,12 +247,16 @@ errout: int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { + net_t net = skb->sk->sk_net; struct fib_rule_hdr *frh = nlmsg_data(nlh); struct fib_rules_ops *ops = NULL; struct fib_rule *rule; struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL; + if (!net_eq(net, init_net())) + return -EINVAL; + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; diff --git a/net/core/neighbour.c b/net/core/neighbour.c index f5d4f92..d89c6fe 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1445,6 +1445,9 @@ int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err = -EINVAL; + if (!net_eq(net, init_net())) + return -EINVAL; + if (nlmsg_len(nlh) < sizeof(*ndm)) goto out; @@ -1511,6 +1514,9 @@ int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); if (err < 0) goto out; @@ -1783,11 +1789,15 @@ static struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] __read_mostly = { int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct neigh_table *tbl; struct ndtmsg *ndtmsg; struct nlattr *tb[NDTA_MAX+1]; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, nl_neightbl_policy); if (err < 0) @@ -1907,11 +1917,15 @@ errout: int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int family, tidx, nidx = 0; int tbl_skip = cb->args[0]; int neigh_skip = cb->args[1]; struct neigh_table *tbl; + if (!net_eq(net, init_net())) + return 0; + family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; read_lock(&neigh_tbl_lock); @@ -2030,9 +2044,13 @@ out: int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; struct neigh_table *tbl; int t, family, s_t; + if (!net_eq(net, init_net())) + return 0; + read_lock(&neigh_tbl_lock); family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; s_t = cb->args[0]; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 5ac07a0..9be586c 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -395,6 +395,9 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) int s_idx = cb->args[0]; struct net_device *dev; + if (!net_eq(net, init_net())) + return 0; + read_lock(&per_net(dev_base_lock, net)); for (dev=per_net(dev_base, net), idx=0; dev; dev = dev->next, idx++) { if (idx < s_idx) @@ -429,6 +432,9 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *tb[IFLA_MAX+1]; char ifname[IFNAMSIZ]; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) goto errout; @@ -602,6 +608,9 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) int iw_buf_len = 0; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) return err; @@ -650,9 +659,13 @@ errout: static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int idx; int s_idx = cb->family; + if (!net_eq(net, init_net())) + return 0; + if (s_idx == 0) s_idx = 1; for (idx=1; idx<NPROTO; idx++) { diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c index c83c8d1..a09275b 100644 --- a/net/decnet/dn_dev.c +++ b/net/decnet/dn_dev.c @@ -648,12 +648,16 @@ static struct nla_policy dn_ifa_policy[IFA_MAX+1] __read_mostly = { static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct nlattr *tb[IFA_MAX+1]; struct dn_dev *dn_db; struct ifaddrmsg *ifm; struct dn_ifaddr *ifa, **ifap; int err = -EADDRNOTAVAIL; + if (!net_eq(net, init_net())) + goto errout; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); if (err < 0) goto errout; @@ -680,6 +684,7 @@ errout: static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct nlattr *tb[IFA_MAX+1]; struct net_device *dev; struct dn_dev *dn_db; @@ -687,6 +692,9 @@ static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct dn_ifaddr *ifa; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); if (err < 0) return err; @@ -788,11 +796,15 @@ errout: static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int idx, dn_idx = 0, skip_ndevs, skip_naddr; struct net_device *dev; struct dn_dev *dn_db; struct dn_ifaddr *ifa; + if (!net_eq(net, init_net())) + return 0; + skip_ndevs = cb->args[0]; skip_naddr = cb->args[1]; diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c index cc2ab1f..832e1b4 100644 --- a/net/decnet/dn_fib.c +++ b/net/decnet/dn_fib.c @@ -503,10 +503,14 @@ static int dn_fib_check_attr(struct rtmsg *r, struct rtattr **rta) int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct dn_fib_table *tb; struct rtattr **rta = arg; struct rtmsg *r = NLMSG_DATA(nlh); + if (!net_eq(net, init_net())) + return -EINVAL; + if (dn_fib_check_attr(r, rta)) return -EINVAL; @@ -519,10 +523,14 @@ int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct dn_fib_table *tb; struct rtattr **rta = arg; struct rtmsg *r = NLMSG_DATA(nlh); + if (!net_eq(net, init_net())) + return -EINVAL; + if (dn_fib_check_attr(r, rta)) return -EINVAL; diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 9669e50..d942ea0 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c @@ -1528,6 +1528,7 @@ rtattr_failure: */ int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void *arg) { + net_t net = in_skb->sk->sk_net; struct rtattr **rta = arg; struct rtmsg *rtm = NLMSG_DATA(nlh); struct dn_route *rt = NULL; @@ -1536,6 +1537,9 @@ int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void *arg) struct sk_buff *skb; struct flowi fl; + if (!net_eq(net, init_net())) + return -EINVAL; + memset(&fl, 0, sizeof(fl)); fl.proto = DNPROTO_NSP; @@ -1613,10 +1617,14 @@ out_free: */ int dn_cache_dump(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; struct dn_route *rt; int h, s_h; int idx, s_idx; + if (!net_eq(net, init_net())) + return 0; + if (NLMSG_PAYLOAD(cb->nlh, 0) < sizeof(struct rtmsg)) return -EINVAL; if (!(((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED)) diff --git a/net/decnet/dn_rules.c b/net/decnet/dn_rules.c index e32d0c3..84eec40 100644 --- a/net/decnet/dn_rules.c +++ b/net/decnet/dn_rules.c @@ -243,6 +243,11 @@ static u32 dn_fib_rule_default_pref(void) int dn_fib_dump_rules(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; + + if (!net_eq(net, init_net())) + return 0; + return fib_rules_dump(skb, cb, AF_DECnet); } diff --git a/net/decnet/dn_table.c b/net/decnet/dn_table.c index 13b2421..3ff151c 100644 --- a/net/decnet/dn_table.c +++ b/net/decnet/dn_table.c @@ -459,12 +459,16 @@ static int dn_fib_table_dump(struct dn_fib_table *tb, struct sk_buff *skb, int dn_fib_dump(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; unsigned int h, s_h; unsigned int e = 0, s_e; struct dn_fib_table *tb; struct hlist_node *node; int dumped = 0; + if (!net_eq(net, init_net())) + return 0; + if (NLMSG_PAYLOAD(cb->nlh, 0) >= sizeof(struct rtmsg) && ((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED) return dn_cache_dump(skb, cb); diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index b0d12ec..7769b1c 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -443,6 +443,7 @@ struct in_ifaddr *inet_ifa_byprefix(struct in_device *in_dev, __be32 prefix, static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct nlattr *tb[IFA_MAX+1]; struct in_device *in_dev; struct ifaddrmsg *ifm; @@ -451,6 +452,9 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg ASSERT_RTNL(); + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); if (err < 0) goto errout; @@ -562,10 +566,14 @@ errout: static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct in_ifaddr *ifa; ASSERT_RTNL(); + if (!net_eq(net, init_net())) + return -EINVAL; + ifa = rtm_to_ifaddr(nlh); if (IS_ERR(ifa)) return PTR_ERR(ifa); @@ -1173,12 +1181,16 @@ nla_put_failure: static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int idx, ip_idx; struct net_device *dev; struct in_device *in_dev; struct in_ifaddr *ifa; int s_ip_idx, s_idx = cb->args[0]; + if (!net_eq(net, init_net())) + return 0; + s_ip_idx = ip_idx = cb->args[1]; read_lock(&per_net(dev_base_lock, init_net())); for (dev = per_net(dev_base, init_net()), idx = 0; dev; dev = dev->next, idx++) { diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 449f42d..0e48fb8 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -538,10 +538,14 @@ errout: int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { + net_t net = skb->sk->sk_net; struct fib_config cfg; struct fib_table *tb; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = rtm_to_fib_config(skb, nlh, &cfg); if (err < 0) goto errout; @@ -559,10 +563,14 @@ errout: int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { + net_t net = skb->sk->sk_net; struct fib_config cfg; struct fib_table *tb; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = rtm_to_fib_config(skb, nlh, &cfg); if (err < 0) goto errout; @@ -580,12 +588,16 @@ errout: int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; unsigned int h, s_h; unsigned int e = 0, s_e; struct fib_table *tb; struct hlist_node *node; int dumped = 0; + if (!net_eq(net, init_net())) + return 0; + if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) return ip_rt_dump(skb, cb); diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index b837c33..f2c50e0 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c @@ -279,6 +279,11 @@ nla_put_failure: int fib4_rules_dump(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; + + if (!net_eq(net, init_net())) + return 0; + return fib_rules_dump(skb, cb, AF_INET); } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 7afe698..83b7312 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -2951,11 +2951,15 @@ static struct nla_policy ifa_ipv6_policy[IFA_MAX+1] __read_mostly = { static int inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct ifaddrmsg *ifm; struct nlattr *tb[IFA_MAX+1]; struct in6_addr *pfx; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; @@ -3003,6 +3007,7 @@ static int inet6_addr_modify(struct inet6_ifaddr *ifp, u8 ifa_flags, static int inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) { + net_t net = skb->sk->sk_net; struct ifaddrmsg *ifm; struct nlattr *tb[IFA_MAX+1]; struct in6_addr *pfx; @@ -3012,6 +3017,9 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) u8 ifa_flags; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; @@ -3278,26 +3286,42 @@ done: static int inet6_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; enum addr_type_t type = UNICAST_ADDR; + + if (!net_eq(net, init_net())) + return 0; + return inet6_dump_addr(skb, cb, type); } static int inet6_dump_ifmcaddr(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; enum addr_type_t type = MULTICAST_ADDR; + + if (!net_eq(net, init_net())) + return 0; + return inet6_dump_addr(skb, cb, type); } static int inet6_dump_ifacaddr(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; enum addr_type_t type = ANYCAST_ADDR; + + if (!net_eq(net, init_net())) + return 0; + return inet6_dump_addr(skb, cb, type); } static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) { + net_t net = in_skb->sk->sk_net; struct ifaddrmsg *ifm; struct nlattr *tb[IFA_MAX+1]; struct in6_addr *addr = NULL; @@ -3306,6 +3330,9 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr* nlh, struct sk_buff *skb; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) goto errout; @@ -3472,11 +3499,15 @@ nla_put_failure: static int inet6_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int idx, err; int s_idx = cb->args[0]; struct net_device *dev; struct inet6_dev *idev; + if (!net_eq(net, init_net())) + return 0; + read_lock(&per_net(dev_base_lock, init_net())); for (dev=per_net(dev_base, init_net()), idx=0; dev; dev = dev->next, idx++) { if (idx < s_idx) diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index 0862809..80d6de6 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -223,6 +223,11 @@ nla_put_failure: int fib6_rules_dump(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; + + if (!net_eq(net, init_net())) + return 0; + return fib_rules_dump(skb, cb, AF_INET6); } diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 96d8310..97814ed 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -362,6 +362,7 @@ end: int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; unsigned int h, s_h; unsigned int e = 0, s_e; struct rt6_rtnl_dump_arg arg; @@ -370,6 +371,9 @@ int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) struct hlist_node *node; int res = 0; + if (!net_eq(net, init_net())) + return 0; + s_h = cb->args[0]; s_e = cb->args[1]; diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 4519006..02fd8ae 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -1985,9 +1985,13 @@ errout: int inet6_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { + net_t net = skb->sk->sk_net; struct fib6_config cfg; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; @@ -1997,9 +2001,13 @@ int inet6_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { + net_t net = skb->sk->sk_net; struct fib6_config cfg; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; @@ -2132,6 +2140,7 @@ int rt6_dump_route(struct rt6_info *rt, void *p_arg) int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) { + net_t net = in_skb->sk->sk_net; struct nlattr *tb[RTA_MAX+1]; struct rt6_info *rt; struct sk_buff *skb; @@ -2139,6 +2148,9 @@ int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) struct flowi fl; int err, iif = 0; + if (!net_eq(net, init_net())) + return -EINVAL; + err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv6_policy); if (err < 0) goto errout; diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 835070e..18d8f68 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -942,10 +942,14 @@ done: static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg) { + net_t net = skb->sk->sk_net; struct rtattr **tca = arg; u32 pid = skb ? NETLINK_CB(skb).pid : 0; int ret = 0, ovr = 0; + if (!net_eq(net, init_net())) + return -EINVAL; + if (tca[TCA_ACT_TAB-1] == NULL) { printk("tc_ctl_action: received NO action attribs\n"); return -EINVAL; @@ -1015,6 +1019,7 @@ find_dump_kind(struct nlmsghdr *n) static int tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; struct nlmsghdr *nlh; unsigned char *b = skb->tail; struct rtattr *x; @@ -1024,6 +1029,9 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh); struct rtattr *kind = find_dump_kind(cb->nlh); + if (!net_eq(net, init_net())) + return 0; + if (kind == NULL) { printk("tc_dump_action: action bad kind\n"); return 0; diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 19935f9..09a3ec8 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -129,6 +129,7 @@ static __inline__ u32 tcf_auto_prio(struct tcf_proto *tp) static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) { + net_t net = skb->sk->sk_net; struct rtattr **tca; struct tcmsg *t; u32 protocol; @@ -145,6 +146,9 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) unsigned long fh; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + replay: tca = arg; t = NLMSG_DATA(n); @@ -385,6 +389,7 @@ static int tcf_node_dump(struct tcf_proto *tp, unsigned long n, struct tcf_walke static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int t; int s_t; struct net_device *dev; @@ -395,6 +400,9 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) struct Qdisc_class_ops *cops; struct tcf_dump_args arg; + if (!net_eq(net, init_net())) + return 0; + if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm))) return skb->len; if ((dev = dev_get_by_index(init_net(), tcm->tcm_ifindex)) == NULL) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 912e8e1..7e33f73 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -578,6 +578,7 @@ check_loop_fn(struct Qdisc *q, unsigned long cl, struct qdisc_walker *w) static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) { + net_t net = skb->sk->sk_net; struct tcmsg *tcm = NLMSG_DATA(n); struct rtattr **tca = arg; struct net_device *dev; @@ -586,6 +587,9 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) struct Qdisc *p = NULL; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + if ((dev = __dev_get_by_index(init_net(), tcm->tcm_ifindex)) == NULL) return -ENODEV; @@ -639,6 +643,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) { + net_t net = skb->sk->sk_net; struct tcmsg *tcm; struct rtattr **tca; struct net_device *dev; @@ -646,6 +651,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) struct Qdisc *q, *p; int err; + if (!net_eq(net, init_net())) + return -EINVAL; + replay: /* Reinit, just in case something touches this. */ tcm = NLMSG_DATA(n); @@ -851,11 +859,15 @@ err_out: static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int idx, q_idx; int s_idx, s_q_idx; struct net_device *dev; struct Qdisc *q; + if (!net_eq(net, init_net())) + return 0; + s_idx = cb->args[0]; s_q_idx = q_idx = cb->args[1]; read_lock(&per_net(dev_base_lock, init_net())); @@ -900,6 +912,7 @@ done: static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg) { + net_t net = skb->sk->sk_net; struct tcmsg *tcm = NLMSG_DATA(n); struct rtattr **tca = arg; struct net_device *dev; @@ -912,6 +925,9 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg) u32 qid = TC_H_MAJ(clid); int err; + if (!net_eq(net, init_net())) + return -EINVAL; + if ((dev = __dev_get_by_index(init_net(), tcm->tcm_ifindex)) == NULL) return -ENODEV; @@ -1086,6 +1102,7 @@ static int qdisc_class_dump(struct Qdisc *q, unsigned long cl, struct qdisc_walk static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb) { + net_t net = skb->sk->sk_net; int t; int s_t; struct net_device *dev; @@ -1093,6 +1110,9 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb) struct tcmsg *tcm = (struct tcmsg*)NLMSG_DATA(cb->nlh); struct qdisc_dump_args arg; + if (!net_eq(net, init_net())) + return 0; + if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm))) return 0; if ((dev = dev_get_by_index(init_net(), tcm->tcm_ifindex)) == NULL) -- 1.4.4.1.g278f - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html