Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-14 16:12:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
a0d56cb911
linux/net/ipv6/netfilter
History
Guillaume Nault a0d56cb911 netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments 
With commit 997dd96471 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.

But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.

Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.

Fixes: 997dd96471 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2019-06-04 15:25:51 +02:00
..
ip6_tables.c netfilter: x_tables: set module owner for icmp(6) matches 2018-07-05 11:45:11 +02:00
ip6t_ah.c
ip6t_eui64.c
ip6t_frag.c
ip6t_hbh.c
ip6t_ipv6header.c netfilter: xtables: avoid BUG_ON 2018-09-17 16:11:12 +02:00
ip6t_mh.c
ip6t_NPT.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
ip6t_REJECT.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
ip6t_rpfilter.c netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses 2018-08-16 19:36:58 +02:00
ip6t_rt.c netfilter: xtables: avoid BUG_ON 2018-09-17 16:11:12 +02:00
ip6t_srh.c netfilter: ip6t_srh: fix NULL pointer dereferences 2019-03-18 16:22:48 +01:00
ip6t_SYNPROXY.c netfilter: ctnetlink: synproxy support 2018-03-20 14:39:31 +01:00
ip6table_filter.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ip6table_mangle.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ip6table_nat.c netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h 2019-02-27 10:54:08 +01:00
ip6table_raw.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ip6table_security.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile netfilter: x_tables: merge ip and ipv6 masquerade modules 2019-04-11 20:59:29 +02:00
nf_conntrack_reasm.c netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments 2019-06-04 15:25:51 +02:00
nf_defrag_ipv6_hooks.c ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2018-07-18 11:26:53 +02:00
nf_dup_ipv6.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 3 2019-05-21 11:28:40 +02:00
nf_flow_table_ipv6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
nf_log_ipv6.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_reject_ipv6.c netfilter: reject: skip csum verification for protocols that don't support it 2019-02-13 10:03:53 +01:00
nf_socket_ipv6.c netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} 2018-03-24 21:17:14 +01:00
nf_tproxy_ipv6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
nft_dup_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_fib_ipv6.c netfilter: nft_fib: Fix existence check support 2019-05-21 16:10:38 +02:00
nft_reject_ipv6.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00