Merge branch 'master' of git://1984.lsi.us.es/net

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

Merge branch 'master' of git://1984.lsi.us.es/net

David S. Miller 14 years ago ecd159fc f68e556e

+24 -20

5 changed files

expand all

include

linux

netfilter_ipv6

ip6_tables.h

net

ipv4

netfilter

nf_conntrack_l3proto_ipv4.c

ipv6

netfilter

ip6_tables.c

netfilter

nf_conntrack_core.c

nf_conntrack_proto_tcp.c

+11 -1

include/linux/netfilter_ipv6/ip6_tables.h

··· 287 287 struct xt_table *table); 288 288 289 289 /* Check for an extension */ 290 - extern int ip6t_ext_hdr(u8 nexthdr); 290 + static inline int 291 + ip6t_ext_hdr(u8 nexthdr) 292 + { return (nexthdr == IPPROTO_HOPOPTS) || 293 + (nexthdr == IPPROTO_ROUTING) || 294 + (nexthdr == IPPROTO_FRAGMENT) || 295 + (nexthdr == IPPROTO_ESP) || 296 + (nexthdr == IPPROTO_AH) || 297 + (nexthdr == IPPROTO_NONE) || 298 + (nexthdr == IPPROTO_DSTOPTS); 299 + } 300 + 291 301 /* find specified header and get offset to it */ 292 302 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, 293 303 int target, unsigned short *fragoff);

+10 -2

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

··· 74 74 75 75 iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); 76 76 if (iph == NULL) 77 - return -NF_DROP; 77 + return -NF_ACCEPT; 78 78 79 79 /* Conntrack defragments packets, we might still see fragments 80 80 * inside ICMP packets though. */ 81 81 if (iph->frag_off & htons(IP_OFFSET)) 82 - return -NF_DROP; 82 + return -NF_ACCEPT; 83 83 84 84 *dataoff = nhoff + (iph->ihl << 2); 85 85 *protonum = iph->protocol; 86 + 87 + /* Check bogus IP headers */ 88 + if (*dataoff > skb->len) { 89 + pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: " 90 + "nhoff %u, ihl %u, skblen %u\n", 91 + nhoff, iph->ihl << 2, skb->len); 92 + return -NF_ACCEPT; 93 + } 86 94 87 95 return NF_ACCEPT; 88 96 }

-14

net/ipv6/netfilter/ip6_tables.c

··· 78 78 79 79 Hence the start of any table is given by get_table() below. */ 80 80 81 - /* Check for an extension */ 82 - int 83 - ip6t_ext_hdr(u8 nexthdr) 84 - { 85 - return (nexthdr == IPPROTO_HOPOPTS) || 86 - (nexthdr == IPPROTO_ROUTING) || 87 - (nexthdr == IPPROTO_FRAGMENT) || 88 - (nexthdr == IPPROTO_ESP) || 89 - (nexthdr == IPPROTO_AH) || 90 - (nexthdr == IPPROTO_NONE) || 91 - (nexthdr == IPPROTO_DSTOPTS); 92 - } 93 - 94 81 /* Returns whether matches rule or not. */ 95 82 /* Performance critical - called for every packet */ 96 83 static inline bool ··· 2353 2366 EXPORT_SYMBOL(ip6t_register_table); 2354 2367 EXPORT_SYMBOL(ip6t_unregister_table); 2355 2368 EXPORT_SYMBOL(ip6t_do_table); 2356 - EXPORT_SYMBOL(ip6t_ext_hdr); 2357 2369 EXPORT_SYMBOL(ipv6_find_hdr); 2358 2370 2359 2371 module_init(ip6_tables_init);

+1 -1

net/netfilter/nf_conntrack_core.c

··· 1592 1592 return 0; 1593 1593 1594 1594 err_timeout: 1595 - nf_conntrack_timeout_fini(net); 1595 + nf_conntrack_ecache_fini(net); 1596 1596 err_ecache: 1597 1597 nf_conntrack_tstamp_fini(net); 1598 1598 err_tstamp:

+2 -2

net/netfilter/nf_conntrack_proto_tcp.c

··· 584 584 * Let's try to use the data from the packet. 585 585 */ 586 586 sender->td_end = end; 587 - win <<= sender->td_scale; 588 - sender->td_maxwin = (win == 0 ? 1 : win); 587 + swin = win << sender->td_scale; 588 + sender->td_maxwin = (swin == 0 ? 1 : swin); 589 589 sender->td_maxend = end + sender->td_maxwin; 590 590 /* 591 591 * We haven't seen traffic in the other direction yet