tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
due to memory corruption, from Florian Westphal.

2) Fix another crash in nf_queue when used with br_netfilter. Also from
Florian.

Both fixes are related to new stuff that got in 4.0-rc.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 39376ccb 876a7ae6

+15 -4
+14 -2
include/linux/netfilter_bridge.h
··· 39 39 40 40 static inline int nf_bridge_get_physinif(const struct sk_buff *skb) 41 41 { 42 - return skb->nf_bridge ? skb->nf_bridge->physindev->ifindex : 0; 42 + struct nf_bridge_info *nf_bridge; 43 + 44 + if (skb->nf_bridge == NULL) 45 + return 0; 46 + 47 + nf_bridge = skb->nf_bridge; 48 + return nf_bridge->physindev ? nf_bridge->physindev->ifindex : 0; 43 49 } 44 50 45 51 static inline int nf_bridge_get_physoutif(const struct sk_buff *skb) 46 52 { 47 - return skb->nf_bridge ? skb->nf_bridge->physoutdev->ifindex : 0; 53 + struct nf_bridge_info *nf_bridge; 54 + 55 + if (skb->nf_bridge == NULL) 56 + return 0; 57 + 58 + nf_bridge = skb->nf_bridge; 59 + return nf_bridge->physoutdev ? nf_bridge->physoutdev->ifindex : 0; 48 60 } 49 61 50 62 static inline struct net_device *
+1 -2
net/netfilter/nf_tables_api.c
··· 4340 4340 case NFT_CONTINUE: 4341 4341 case NFT_BREAK: 4342 4342 case NFT_RETURN: 4343 - desc->len = sizeof(data->verdict); 4344 4343 break; 4345 4344 case NFT_JUMP: 4346 4345 case NFT_GOTO: ··· 4354 4355 4355 4356 chain->use++; 4356 4357 data->verdict.chain = chain; 4357 - desc->len = sizeof(data); 4358 4358 break; 4359 4359 } 4360 4360 4361 + desc->len = sizeof(data->verdict); 4361 4362 desc->type = NFT_DATA_VERDICT; 4362 4363 return 0; 4363 4364 }