linux-toradex.git/net/netfilter, branch v2.6.16.42 Linux kernel for Apalis and Colibri modules ulog: fix panic on SMP kernels 2006-08-26T15:35:49+00:00 Mark Huang mlhuang@cs.princeton.edu 2006-08-26T15:35:49+00:00 189abe08c84ab16197c29683d40df3c4917bd475 Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934] 2006-06-30T21:06:52+00:00 Patrick McHardy kaber@trash.net 2006-06-30T03:33:12+00:00 70a00d8615ea4c408978d6efc23c89d4e7c12518 When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.

Problem noticed by George A. Theall <theall@tenablesecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085) 2006-06-20T08:54:53+00:00 Patrick McHardy kaber@trash.net 2006-06-19T17:14:21+00:00 ab46ee26dc90c5608c0d51c33a029fe514c0a49d Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527) 2006-05-02T21:38:21+00:00 Patrick McHardy kaber@trash.net 2006-05-02T21:23:07+00:00 25b6badde42165b717e3c232e4992b3f6761920a [NETFILTER]: SCTP conntrack: fix infinite loop fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
[NETFILTER]: SCTP conntrack: fix infinite loop

fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)

Based on patch from Ingo Molnar <mingo@elte.hu>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistration 2006-04-07T16:44:28+00:00 Martin Josefsson gandalf@wlug.westbo.se 2006-04-03T08:47:48+00:00 334ed376d2b23896061520648dc7113c5c4ffb0b [NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration This patch fixes expectation notifier unregistration on module unload to use ip_conntrack_expect_unregister_notifier(). This bug causes a soft lockup at the first expectation created after a rmmod ; insmod of this module. Should go into -stable as well. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
[NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration

This patch fixes expectation notifier unregistration on module unload to
use ip_conntrack_expect_unregister_notifier(). This bug causes a soft
lockup at the first expectation created after a rmmod ; insmod of this
module.

Should go into -stable as well.

Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereference 2006-03-13T04:39:35+00:00 Patrick McHardy kaber@trash.net 2006-03-13T04:32:47+00:00 406dbfc9ae0e6b7eb4da4a52c0a6556a0d7e6a2f Fix NULL-ptr dereference when a config message for a non-existant queue containing only an NFQA_CFG_PARAMS attribute is received. Coverity #433 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix NULL-ptr dereference when a config message for a non-existant
queue containing only an NFQA_CFG_PARAMS attribute is received.

Coverity #433

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_queue: fix end-of-list check 2006-02-27T21:03:55+00:00 Patrick McHardy kaber@trash.net 2006-02-27T21:03:55+00:00 45fe4dc08cbf9510074b97a16606366c1d405f4d The comparison wants to find out if the last list iteration reached the end of the list. It needs to compare the iterator with the list head to do this, not the element it is looking for. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The comparison wants to find out if the last list iteration reached the
end of the list. It needs to compare the iterator with the list head to
do this, not the element it is looking for.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_queue: remove unnecessary check for outfn 2006-02-27T21:03:39+00:00 Patrick McHardy kaber@trash.net 2006-02-27T21:03:39+00:00 e121e9ecb08c3a9843243f461290869ff08be900 The only point of registering a queue handler is to provide an outfn, so there is no need to check for it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The only point of registering a queue handler is to provide an outfn,
so there is no need to check for it.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_queue: fix rerouting after packet mangling 2006-02-27T21:03:24+00:00 Patrick McHardy kaber@trash.net 2006-02-27T21:03:24+00:00 7a11b9848ae27e571f219fab5541bd84700f0d68 Packets should be rerouted when they come back from userspace, not before. Also move the queue_rerouters to RCU to avoid taking the queue_handler_lock for each reinjected packet. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Packets should be rerouted when they come back from userspace, not before.
Also move the queue_rerouters to RCU to avoid taking the queue_handler_lock
for each reinjected packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_queue: check if rerouter is present before using it 2006-02-27T21:03:10+00:00 Patrick McHardy kaber@trash.net 2006-02-27T21:03:10+00:00 f92f871989c97a24d284ac60b0f880222ddf87ac Every rerouter needs to provide a save and a reroute function, we don't need to check for them. But we do need to check if a rerouter is registered at all for the current family, with bridging for example packets of unregistered families can hit nf_queue. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Every rerouter needs to provide a save and a reroute function, we don't
need to check for them. But we do need to check if a rerouter is registered
at all for the current family, with bridging for example packets of
unregistered families can hit nf_queue.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>