* [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
@ 2019-06-02 13:13 Guillaume Nault
2019-06-04 13:26 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Guillaume Nault @ 2019-06-02 13:13 UTC (permalink / raw)
To: netdev, netfilter-devel
Cc: Peter Oskolkov, Florian Westphal, Pablo Neira Ayuso, David S. Miller
With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.
But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.
Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.
Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
Not sure if this should got to the net or nf tree (as the original patch
went through net). Anyway this patch applies cleanly to both.
net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 3de0e9b0a482..5b3f65e29b6f 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
skb->_skb_refdst = 0UL;
err = nf_ct_frag6_reasm(fq, skb, prev, dev);
skb->_skb_refdst = orefdst;
- return err;
+
+ /* After queue has assumed skb ownership, only 0 or
+ * -EINPROGRESS must be returned.
+ */
+ return err ? -EINPROGRESS : 0;
}
skb_dst_drop(skb);
@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
ret = 0;
}
- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
- * must be returned.
- */
- if (ret)
- ret = -EINPROGRESS;
-
spin_unlock_bh(&fq->q.lock);
inet_frag_put(&fq->q);
return ret;
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
2019-06-02 13:13 [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Guillaume Nault
@ 2019-06-04 13:26 ` Pablo Neira Ayuso
2019-06-04 15:02 ` Guillaume Nault
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-04 13:26 UTC (permalink / raw)
To: Guillaume Nault
Cc: netdev, netfilter-devel, Peter Oskolkov, Florian Westphal,
David S. Miller
On Sun, Jun 02, 2019 at 03:13:47PM +0200, Guillaume Nault wrote:
> With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
> nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
> nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
> after the skb has been added to the fragment queue and
> nf_ct_frag6_gather() was adapted to handle this case.
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
2019-06-04 13:26 ` Pablo Neira Ayuso
@ 2019-06-04 15:02 ` Guillaume Nault
2019-06-04 16:03 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Guillaume Nault @ 2019-06-04 15:02 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netdev, netfilter-devel, Peter Oskolkov, Florian Westphal,
David S. Miller
On Tue, Jun 04, 2019 at 03:26:05PM +0200, Pablo Neira Ayuso wrote:
> On Sun, Jun 02, 2019 at 03:13:47PM +0200, Guillaume Nault wrote:
> > With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
> > nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
> > nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
> > after the skb has been added to the fragment queue and
> > nf_ct_frag6_gather() was adapted to handle this case.
>
> Applied, thanks.
Thanks. Can you also please queue it for -stable?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
2019-06-04 15:02 ` Guillaume Nault
@ 2019-06-04 16:03 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-04 16:03 UTC (permalink / raw)
To: Guillaume Nault
Cc: netdev, netfilter-devel, Peter Oskolkov, Florian Westphal,
David S. Miller
On Tue, Jun 04, 2019 at 05:02:21PM +0200, Guillaume Nault wrote:
> On Tue, Jun 04, 2019 at 03:26:05PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Jun 02, 2019 at 03:13:47PM +0200, Guillaume Nault wrote:
> > > With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
> > > nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
> > > nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
> > > after the skb has been added to the fragment queue and
> > > nf_ct_frag6_gather() was adapted to handle this case.
> >
> > Applied, thanks.
>
> Thanks. Can you also please queue it for -stable?
As soon as this hits Linus tree, yes.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-04 16:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-02 13:13 [PATCH net] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Guillaume Nault
2019-06-04 13:26 ` Pablo Neira Ayuso
2019-06-04 15:02 ` Guillaume Nault
2019-06-04 16:03 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).