tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Out-of-bound access to packet data from the snmp nat helper,
from Jann Horn.

2) ICMP(v6) error packets are set as related traffic by conntrack,
update protocol number before calling nf_nat_ipv4_manip_pkt()
to use ICMP(v6) rather than the original protocol number,
from Florian Westphal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 4d73eaee 31b58ad0

+8 -1
+1
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
··· 215 215 216 216 /* Change outer to look like the reply to an incoming packet */ 217 217 nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); 218 + target.dst.protonum = IPPROTO_ICMP; 218 219 if (!nf_nat_ipv4_manip_pkt(skb, 0, &target, manip)) 219 220 return 0; 220 221
+6 -1
net/ipv4/netfilter/nf_nat_snmp_basic_main.c
··· 105 105 int snmp_version(void *context, size_t hdrlen, unsigned char tag, 106 106 const void *data, size_t datalen) 107 107 { 108 + if (datalen != 1) 109 + return -EINVAL; 108 110 if (*(unsigned char *)data > 1) 109 111 return -ENOTSUPP; 110 112 return 1; ··· 116 114 const void *data, size_t datalen) 117 115 { 118 116 struct snmp_ctx *ctx = (struct snmp_ctx *)context; 119 - __be32 *pdata = (__be32 *)data; 117 + __be32 *pdata; 120 118 119 + if (datalen != 4) 120 + return -EINVAL; 121 + pdata = (__be32 *)data; 121 122 if (*pdata == ctx->from) { 122 123 pr_debug("%s: %pI4 to %pI4\n", __func__, 123 124 (void *)&ctx->from, (void *)&ctx->to);
+1
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
··· 226 226 } 227 227 228 228 nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); 229 + target.dst.protonum = IPPROTO_ICMPV6; 229 230 if (!nf_nat_ipv6_manip_pkt(skb, 0, &target, manip)) 230 231 return 0; 231 232