Merge branch 'master' of git://1984.lsi.us.es/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pablo Neira Ayuso say:

====================
The following patchset contains four updates for your net tree, they are:

* Fix crash on timewait sockets, since the TCP early demux was added,
in nfnetlink_log, from Eric Dumazet.

* Fix broken syslog log-level for xt_LOG and ebt_log since printk format was
converted from <.> to a 2 bytes pattern using ASCII SOH, from Joe Perches.

* Two security fixes for the TCP connection tracking targeting off-path attacks,
from Jozsef Kadlecsik. The problem was discovered by Jan Wrobel and it is
documented in: http://mixedbit.org/reflection_scan/reflection_scan.pdf.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 13 years ago 93052169 bdfc87f7

+38 -44

4 changed files

expand all

net

bridge

netfilter

ebt_log.c

netfilter

nf_conntrack_proto_tcp.c

nfnetlink_log.c

xt_LOG.c

+1 -1

net/bridge/netfilter/ebt_log.c

··· 80 80 unsigned int bitmask; 81 81 82 82 spin_lock_bh(&ebt_log_lock); 83 - printk("<%c>%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x", 83 + printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x", 84 84 '0' + loginfo->u.log.level, prefix, 85 85 in ? in->name : "", out ? out->name : "", 86 86 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,

+10 -19

net/netfilter/nf_conntrack_proto_tcp.c

··· 158 158 * sCL -> sSS 159 159 */ 160 160 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 161 - /*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 161 + /*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR }, 162 162 /* 163 163 * sNO -> sIV Too late and no reason to do anything 164 164 * sSS -> sIV Client can't send SYN and then SYN/ACK 165 165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open 166 - * sSR -> sIG 167 - * sES -> sIG Error: SYNs in window outside the SYN_SENT state 168 - * are errors. Receiver will reply with RST 169 - * and close the connection. 170 - * Or we are not in sync and hold a dead connection. 171 - * sFW -> sIG 172 - * sCW -> sIG 173 - * sLA -> sIG 174 - * sTW -> sIG 175 - * sCL -> sIG 166 + * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open 167 + * sES -> sIV Invalid SYN/ACK packets sent by the client 168 + * sFW -> sIV 169 + * sCW -> sIV 170 + * sLA -> sIV 171 + * sTW -> sIV 172 + * sCL -> sIV 176 173 */ 177 174 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 178 175 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, ··· 630 633 ack = sack = receiver->td_end; 631 634 } 632 635 633 - if (seq == end 634 - && (!tcph->rst 635 - || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) 636 + if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT) 636 637 /* 637 - * Packets contains no data: we assume it is valid 638 - * and check the ack value only. 639 - * However RST segments are always validated by their 640 - * SEQ number, except when seq == 0 (reset sent answering 641 - * SYN. 638 + * RST sent answering SYN. 642 639 */ 643 640 seq = end = sender->td_end; 644 641

+8 -6

net/netfilter/nfnetlink_log.c

··· 381 381 struct nlmsghdr *nlh; 382 382 struct nfgenmsg *nfmsg; 383 383 sk_buff_data_t old_tail = inst->skb->tail; 384 + struct sock *sk; 384 385 385 386 nlh = nlmsg_put(inst->skb, 0, 0, 386 387 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, ··· 500 499 } 501 500 502 501 /* UID */ 503 - if (skb->sk) { 504 - read_lock_bh(&skb->sk->sk_callback_lock); 505 - if (skb->sk->sk_socket && skb->sk->sk_socket->file) { 506 - struct file *file = skb->sk->sk_socket->file; 502 + sk = skb->sk; 503 + if (sk && sk->sk_state != TCP_TIME_WAIT) { 504 + read_lock_bh(&sk->sk_callback_lock); 505 + if (sk->sk_socket && sk->sk_socket->file) { 506 + struct file *file = sk->sk_socket->file; 507 507 __be32 uid = htonl(file->f_cred->fsuid); 508 508 __be32 gid = htonl(file->f_cred->fsgid); 509 - read_unlock_bh(&skb->sk->sk_callback_lock); 509 + read_unlock_bh(&sk->sk_callback_lock); 510 510 if (nla_put_be32(inst->skb, NFULA_UID, uid) || 511 511 nla_put_be32(inst->skb, NFULA_GID, gid)) 512 512 goto nla_put_failure; 513 513 } else 514 - read_unlock_bh(&skb->sk->sk_callback_lock); 514 + read_unlock_bh(&sk->sk_callback_lock); 515 515 } 516 516 517 517 /* local sequence number */

+19 -18

net/netfilter/xt_LOG.c

··· 145 145 return 0; 146 146 } 147 147 148 + static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk) 149 + { 150 + if (!sk || sk->sk_state == TCP_TIME_WAIT) 151 + return; 152 + 153 + read_lock_bh(&sk->sk_callback_lock); 154 + if (sk->sk_socket && sk->sk_socket->file) 155 + sb_add(m, "UID=%u GID=%u ", 156 + sk->sk_socket->file->f_cred->fsuid, 157 + sk->sk_socket->file->f_cred->fsgid); 158 + read_unlock_bh(&sk->sk_callback_lock); 159 + } 160 + 148 161 /* One level of recursion won't kill us */ 149 162 static void dump_ipv4_packet(struct sbuff *m, 150 163 const struct nf_loginfo *info, ··· 374 361 } 375 362 376 363 /* Max length: 15 "UID=4294967295 " */ 377 - if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { 378 - read_lock_bh(&skb->sk->sk_callback_lock); 379 - if (skb->sk->sk_socket && skb->sk->sk_socket->file) 380 - sb_add(m, "UID=%u GID=%u ", 381 - skb->sk->sk_socket->file->f_cred->fsuid, 382 - skb->sk->sk_socket->file->f_cred->fsgid); 383 - read_unlock_bh(&skb->sk->sk_callback_lock); 384 - } 364 + if ((logflags & XT_LOG_UID) && !iphoff) 365 + dump_sk_uid_gid(m, skb->sk); 385 366 386 367 /* Max length: 16 "MARK=0xFFFFFFFF " */ 387 368 if (!iphoff && skb->mark) ··· 443 436 const struct nf_loginfo *loginfo, 444 437 const char *prefix) 445 438 { 446 - sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 447 - prefix, 439 + sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 440 + '0' + loginfo->u.log.level, prefix, 448 441 in ? in->name : "", 449 442 out ? out->name : ""); 450 443 #ifdef CONFIG_BRIDGE_NETFILTER ··· 724 717 } 725 718 726 719 /* Max length: 15 "UID=4294967295 " */ 727 - if ((logflags & XT_LOG_UID) && recurse && skb->sk) { 728 - read_lock_bh(&skb->sk->sk_callback_lock); 729 - if (skb->sk->sk_socket && skb->sk->sk_socket->file) 730 - sb_add(m, "UID=%u GID=%u ", 731 - skb->sk->sk_socket->file->f_cred->fsuid, 732 - skb->sk->sk_socket->file->f_cred->fsgid); 733 - read_unlock_bh(&skb->sk->sk_callback_lock); 734 - } 720 + if ((logflags & XT_LOG_UID) && recurse) 721 + dump_sk_uid_gid(m, skb->sk); 735 722 736 723 /* Max length: 16 "MARK=0xFFFFFFFF " */ 737 724 if (!recurse && skb->mark)