linux/net
Florian Westphal 8626c56c82 bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict
Zefir Kurtisi reported kernel panic with an openwrt specific patch.
However, it turns out that mainline has a similar bug waiting to happen.

Once NF_HOOK() returns the skb is in undefined state and must not be
used.   Moreover, the okfn must consume the skb to support async
processing (NF_QUEUE).

Current okfn in this spot doesn't consume it and caller assumes that
NF_HOOK return value tells us if skb was freed or not, but thats wrong.

It "works" because no in-tree user registers a NFPROTO_BRIDGE hook at
LOCAL_IN that returns STOLEN or NF_QUEUE verdicts.

Once we add NF_QUEUE support for nftables bridge this will break --
NF_QUEUE holds the skb for async processing, caller will erronoulsy
return RX_HANDLER_PASS and on reinject netfilter will access free'd skb.

Fix this by pushing skb up the stack in the okfn instead.

NB: It also seems dubious to use LOCAL_IN while bypassing PRE_ROUTING
completely in this case but this is how its been forever so it seems
preferable to not change this.

Cc: Felix Fietkau <nbd@openwrt.org>
Cc: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-03-14 15:46:41 -04:00
..
6lowpan 6lowpan: iphc: fix SAM/DAM bit comment 2016-03-10 19:51:29 +01:00
9p Rework and error handling fixes, primarily in the fscatch and fd transports. 2016-01-24 12:39:09 -08:00
802
8021q net: 8021q: use __ethtool_get_ksettings 2016-02-25 22:06:46 -05:00
appletalk appletalk: fix erroneous return value 2016-02-18 14:59:34 -05:00
atm
ax25 ax25: add link layer header validation function 2016-03-09 22:13:01 -05:00
batman-adv batman-adv: clarify CFG80211 dependency 2016-03-02 13:45:47 -05:00
bluetooth Bluetooth: Fix potential buffer overflow with Add Advertising 2016-03-11 16:28:43 +01:00
bridge bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict 2016-03-14 15:46:41 -04:00
caif net: caif: fix misleading indentation 2016-03-14 13:09:50 -04:00
can
ceph libceph: don't spam dmesg with stray reply warnings 2016-02-24 20:28:51 +01:00
core net: add a hardware buffer management helper API 2016-03-14 12:19:46 -04:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
decnet
dns_resolver
dsa phy: fixed: Fix removal of phys. 2016-03-14 15:43:11 -04:00
ethernet eth: Pull header from first fragment via eth_get_headlen 2016-02-24 13:58:05 -05:00
hsr
ieee802154 ieee802154: 6lowpan: fix return of netdev notifier 2016-02-23 20:29:40 +01:00
ipv4 tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In 2016-03-14 14:55:26 -04:00
ipv6 tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In 2016-03-14 14:55:26 -04:00
ipx
irda irda: fix a potential use-after-free in ircomm_param_request 2016-01-29 22:56:46 -08:00
iucv af_iucv: Validate socket address length in iucv_sock_bind() 2016-01-19 14:21:08 -05:00
kcm kcm: Add receive message timeout 2016-03-09 16:36:15 -05:00
key
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
l3mdev net: l3mdev: address selection should only consider devices in L3 domain 2016-02-26 14:22:26 -05:00
lapb
llc af_llc: fix types on llc_ui_wait_for_conn 2016-02-17 16:12:13 -05:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-03-08 12:34:12 -05:00
mac802154 mac802154: Fixes kernel oops when unloading a radio driver 2016-02-23 20:29:40 +01:00
mpls mpls: autoload lwt module 2016-02-21 22:00:28 -05:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2016-03-08 14:25:20 -05:00
netlabel netlabel: do not initialise statics to NULL 2016-03-07 11:08:26 -05:00
netlink nfnetlink: Revert "nfnetlink: add support for memory mapped netlink" 2016-02-18 11:42:22 -05:00
netrom
nfc NFC: Close a race condition in llcp_sock_getname() 2016-02-25 08:41:01 +01:00
openvswitch ovs: allow nl 'flow set' to use ufid without flow key 2016-03-13 22:18:26 -04:00
packet packet: validate variable length ll headers 2016-03-09 22:13:01 -05:00
phonet sock: struct proto hash function may error 2016-02-11 03:54:14 -05:00
rds RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
rfkill Here's another round of updates for -next: 2016-03-01 17:03:27 -05:00
rose
rxrpc rxrpc: Replace all unsigned with unsigned int 2016-03-13 15:14:57 -04:00
sched net/flower: Fix pointer cast 2016-03-11 12:04:37 -05:00
sctp sctp: allow sctp_transmit_packet and others to use gfp 2016-03-13 22:29:07 -04:00
sunrpc One fix for a bug that could cause a NULL write past the end of a buffer 2016-02-25 19:31:01 -08:00
switchdev net: ndo_fdb_dump should report -EMSGSIZE to rtnl_fdb_dump. 2016-02-26 15:04:02 -05:00
tipc tipc: make sure IPv6 header fits in skb headroom 2016-03-14 12:23:12 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
vmw_vsock vsock: Fix blocking ops call in prepare_to_wait 2016-02-13 05:57:39 -05:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-03-08 12:34:12 -05:00
x25
xfrm net: preserve IP control block during GSO segmentation 2016-01-15 14:35:24 -05:00
compat.c
Kconfig net: add a hardware buffer management helper API 2016-03-14 12:19:46 -04:00
Makefile kcm: Kernel Connection Multiplexor module 2016-03-09 16:36:14 -05:00
socket.c net: Fix use after free in the recvmmsg exit path 2016-03-14 12:41:49 -04:00
sysctl_net.c