On Mon, 2016-03-28 at 19:54 -0400, David Miller wrote:
> From: Eric Dumazet
> Date: Mon, 28 Mar 2016 13:51:46 -0700
>
> > On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:
> >
> >> We have at least 384 bytes of padding in skb->head (this is struct
> >> skb_shared_info).
> >>
> >> Whatever
From: Eric Dumazet
Date: Mon, 28 Mar 2016 13:51:46 -0700
> On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:
>
>> We have at least 384 bytes of padding in skb->head (this is struct
>> skb_shared_info).
>>
>> Whatever garbage we might read, current code is fine.
>>
>> We have to deal with
From: Jan Engelhardt
Date: Mon, 28 Mar 2016 22:20:39 +0200 (CEST)
>
> On Monday 2016-03-28 21:29, David Miller wrote:
> > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
> > length--;
> > continue;
> > default:
>>>
On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote:
> In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a
> buffer with skb_header_pointer(), so it's not a false positive there and
> the KASAN report referred to that part.
>
Although the out of bound could be one extra
On Mon, 28 Mar 2016, Eric Dumazet wrote:
> On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote:
> > On Monday 2016-03-28 21:29, David Miller wrote:
> > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff
> > >>> > > *skb,
> > >>> > > length--;
> > >>> > >
On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:
> We have at least 384 bytes of padding in skb->head (this is struct
> skb_shared_info).
>
> Whatever garbage we might read, current code is fine.
>
> We have to deal with a false positive here.
Very similar to the one fixed in
https://git
On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote:
> On Monday 2016-03-28 21:29, David Miller wrote:
> >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff
> >>> > > *skb,
> >>> > > length--;
> >>> > > continue;
> >>> > > default:
>
On Monday 2016-03-28 21:29, David Miller wrote:
>>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
>>> > > length--;
>>> > > continue;
>>> > > default:
>>> > > +if (length < 2)
>>> > > +return;
>>> > >
On Mon, 2016-03-28 at 15:29 -0400, David Miller wrote:
> From: Jozsef Kadlecsik
> Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST)
>
> >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
> >> > > length--;
> >> > > continue;
> >> > > de
From: Pablo Neira Ayuso
Date: Mon, 28 Mar 2016 19:57:53 +0200
> The following patchset contains Netfilter fixes for you net tree,
> they are:
...
> This batch comes with four patches to validate x_tables blobs coming
> from userspace. CONFIG_USERNS exposes the x_tables interface to
> unpriviledg
From: Jozsef Kadlecsik
Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST)
>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
>> > > length--;
>> > > continue;
>> > > default:
>> > > +if (length < 2)
>> > > +re
Initializing comment member in xt_xlate structure.
Because of not initializing, when translating iptables command with multiple
ip addresses, In the translated commands --comment field is getting added.
Before fix:
inbhdhcp21574:basavaia$>sudo ./iptables-translate -A INPUT --source "40.0.0.1,
3
Sending a high throughput stream of UDP packets through NFQ causes a few
packets to be dropped.
Let's say we have 10 packets with same tuple going in. They all receive
different conntrack objects (with confirmed flag unset).
They then get grabbed by user space through NFQ and suppose they all g
From: Arnd Bergmann
The openvswitch code has gained support for calling into the
nf-nat-ipv4/ipv6 modules, however those can be loadable modules
in a configuration in which openvswitch is built-in, leading
to link errors:
net/built-in.o: In function `__ovs_ct_lookup':
:(.text+0x2cc2c8): undefine
From: Florian Westphal
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/arp_tables.c | 17 -
net/
From: Liping Zhang
Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
use sock_net(skb->sk) to get the net namespace, but we can't assume
that sk_buff->sk is always exist, so when it is NULL, oops will happen.
Signed-off-by: Liping Zhang
Reviewed-by: Nikolay Borisov
Signed-o
From: Florian Westphal
Otherwise this function may read data beyond the ruleset blob.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/arp_tables.c | 6 --
net/ipv4/netfilter/ip_tables.c | 6 --
net/ipv6/netfilter/ip6_tables.c | 6 --
3 file
From: Vishwanath Pai
This fix adds a new reference counter (ref_netlink) for the struct ip_set.
The other reference counter (ref) can be swapped out by ip_set_swap and we
need a separate counter to keep track of references for netlink events
like dump. Using the same ref counter for dump causes a
Hi David,
The following patchset contains Netfilter fixes for you net tree,
they are:
1) There was a race condition between parallel save/swap and delete,
which resulted a kernel crash due to the increase ref for save, swap,
wrong ref decrease operations. Reported and fixed by Vishwanath Pa
From: Jarno Rajahalme
OVS should call into CT NAT for packets of new expected connections only
when the conntrack state is persisted with the 'commit' option to the
OVS CT action. The test for this condition is doubly wrong, as the CT
status field is ANDed with the bit number (IPS_EXPECTED_BIT)
When netlink unicast fails to deliver the message to userspace, we
should also check if the NFQA_CFG_F_FAIL_OPEN flag is set so we reinject
the packet back to the stack.
I think the user expects no packet drops when this flag is set due to
queueing to userspace errors, no matter if related to the
From: Florian Westphal
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Pro
Make sure the table names via getsockopt GET_ENTRIES is nul-terminated
in ebtables and all the x_tables variants and their respective compat
code. Uncovered by KASAN.
Reported-by: Baozeng Ding
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebtables.c | 4
net/ipv4/netfilter/arp_
On Mon, Mar 28, 2016 at 06:48:51PM +0200, Jozsef Kadlecsik wrote:
> Hi David, Pablo,
>
> David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how
> should I proceed? Should I send the whole patch to you or is it OK to send
> to Pablo?
Submit a formal patch and Cc: net...@vger.ke
Hi David, Pablo,
David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how
should I proceed? Should I send the whole patch to you or is it OK to send
to Pablo?
Best regards,
Jozsef
On Mon, 28 Mar 2016, Baozeng Ding wrote:
>
>
> On 2016/3/28 10:35, Baozeng Ding wrote:
> >
> >
From: Liping Zhang
Replace '64' with the per-net ipv6_devconf_all's hop_limit when
building the ipv6 header.
Signed-off-by: Liping Zhang
---
net/ipv6/netfilter/ip6t_SYNPROXY.c | 56 --
1 file changed, 30 insertions(+), 26 deletions(-)
diff --git a/net/ipv6/
On 2016/3/28 10:35, Baozeng Ding wrote:
On 2016/3/28 6:25, Jozsef Kadlecsik wrote:
On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:
On Sun, 27 Mar 2016, Baozeng Ding wrote:
The following program triggers stack-out-of-bounds in tcp_packet. The
kernel version is 4.5 (on Mar 16 commit
09fd671cc
On 23 March 2016 at 17:08, Pablo Neira Ayuso wrote:
> On Wed, Mar 23, 2016 at 01:51:38PM +0100, Arturo Borrero Gonzalez wrote:
>> Improve checks (and error reporting) for basic rule management operations.
>>
>> This includes a fix for netfilter bug #965.
>
> Thanks for working on this.
>
> With a
On Wed, Mar 23, 2016 at 10:29:16PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Replace '64' with the per-net ipv6_devconf_all's hop_limit when
> building the ipv6 header.
Could you resend a patch based on top of:
netfilter: ipv4: fix NULL dereference
Thanks.
--
To unsubscribe f
Hi Roberto,
On Wed, Mar 23, 2016 at 12:42:52PM +0100, Roberto GarcĂa wrote:
> Add translation for TEE target to nft.
I have applied this with minor glitches, thanks, comment below.
> However, there is a problem with the output when using
> ip6tables-translate. I couldn't find a fix for that.
Ju
On Sat, Mar 26, 2016 at 04:32:57PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
> use sock_net(skb->sk) to get the net namespace, but we can't assume
> that sk_buff->sk is always exist, so when it is NULL, oops will happ
31 matches
Mail list logo
