Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.6 2012-09-25T23:33:16Z 2012-09-25T23:33:16Z Jan Engelhardt jengelh@inai.de 2012-09-21T22:26:52Z urn:sha1:82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when a running state is saved to userspace and then reinstated from there. Make sure that private xt_limit area is initialized with correct values. Otherwise, random matchings due to use of uninitialized memory. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-12T15:17:35Z Joe Perches joe@perches.com 2012-09-12T02:04:53Z urn:sha1:16af511a666827eaf5802144f09e2fb7b0942c99 auto75914331@hushmail.com reports that iptables does not correctly output the KERN_<level>. $IPTABLES -A RULE_0_in -j LOG --log-level notice --log-prefix "DENY in: " result with linux 3.6-rc5 Sep 12 06:37:29 xxxxx kernel: <5>DENY in: IN=eth0 OUT= MAC=....... result with linux 3.5.3 and older: Sep 9 10:43:01 xxxxx kernel: DENY in: IN=eth0 OUT= MAC...... commit 04d2c8c83d0 ("printk: convert the format for KERN_<LEVEL> to a 2 byte pattern") updated the syslog header style but did not update netfilter uses. Do so. Use KERN_SOH and string concatenation instead of "%c" KERN_SOH_ASCII as suggested by Eric Dumazet. Signed-off-by: Joe Perches <joe@perches.com> cc: auto75914331@hushmail.com Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-09T20:13:49Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-08-31T09:55:54Z urn:sha1:4a70bbfaef0361d27272629d1a250a937edcafe4 We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-09T20:13:30Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-08-31T09:55:53Z urn:sha1:64f509ce71b08d037998e93dd51180c19b2f464c Clients should not send such packets. By accepting them, we open up a hole by wich ephemeral ports can be discovered in an off-path attack. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-06T12:28:18Z Eric Dumazet edumazet@google.com 2012-09-04T07:49:03Z urn:sha1:0626af3139572610b56376580d11eb65d45d9dd7 Sami Farin reported crashes in xt_LOG because it assumes skb->sk is a full blown socket. Since (41063e9 ipv4: Early TCP socket demux), we can have skb->sk pointing to a timewait socket. Same fix is needed in nfnetlink_log. Diagnosed-by: Florian Westphal <fw@strlen.de> Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-31T13:50:28Z Pablo Neira Ayuso pablo@netfilter.org 2012-08-29T16:25:49Z urn:sha1:5b423f6a40a0327f9d40bc8b97ce9be266f74368 Existing code assumes that del_timer returns true for alive conntrack entries. However, this is not true if reliable events are enabled. In that case, del_timer may return true for entries that were just inserted in the dying list. Note that packets / ctnetlink may hold references to conntrack entries that were just inserted to such list. This patch fixes the issue by adding an independent timer for event delivery. This increases the size of the ecache extension. Still we can revisit this later and use variable size extensions to allocate this area on demand. Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-30T01:29:58Z Julia Lawall Julia.Lawall@lip6.fr 2012-08-29T06:49:17Z urn:sha1:6fc09f10f12477bdaa54e94f9cb428bef6d81315 Initialize return variable before exiting on an error path. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-30T01:28:22Z Julia Lawall Julia.Lawall@lip6.fr 2012-08-29T06:49:16Z urn:sha1:ef6acf68c259d907517dcc0ffefcd4e30276ae29 Initialize return variable before exiting on an error path. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-30T01:27:19Z Julia Lawall Julia.Lawall@lip6.fr 2012-08-29T06:49:11Z urn:sha1:0a54e939d8c2647c711ef2369c3e73c3b7f3028c Initialize return variable before exiting on an error path. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-20T10:40:23Z Patrick McHardy kaber@trash.net 2012-08-19T10:16:08Z urn:sha1:2dba62c30ec3040ef1b647a8976fd7e6854cc7a7 Commit 1db20a52 (nfnetlink_log: Stop using NLA_PUT*().) incorrectly converted a NLA_PUT_BE16 macro to nla_put_be32() in nfnetlink_log: - NLA_PUT_BE16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)); + if (nla_put_be32(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>