On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote:
> Could that be that netfilter does not abort earlier if TCP header is
> completely wrong ?
>
Yes, I wonder if this patch would be better, unless we replicate the
th->doff sanity check in all netfilter modules dissecting TCP frames.
diff
On Sun, 2017-04-02 at 19:52 +0300, Denys Fedoryshchenko wrote:
> On 2017-04-02 15:32, Eric Dumazet wrote:
> > On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote:
> >> > */
> >> I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for
> >> curiosity, if this condition are
On 2017-04-02 15:32, Eric Dumazet wrote:
On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote:
> */
I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for
curiosity, if this condition are triggered. Is it fine like that?
Sure.
It didnt triggered WARN_ON, and with both
The following Coccinelle script was used to detect this:
@r@
expression x;
void* e;
type T;
identifier f;
@@
(
*((T *)e)
|
((T *)x)[...]
|
((T*)x)->f
|
- (T*)
e
)
Signed-off-by: Arushi Singhal
---
extensions/libarpt_mangle.c | 2 +-
The following Coccinelle script was used to detect this:
@r@
expression x;
void* e;
type T;
identifier f;
@@
(
*((T *)e)
|
((T *)x)[...]
|
((T*)x)->f
|
- (T*)
e
)
Signed-off-by: Arushi Singhal
---
iptables/nft-arp.c | 4 ++--
iptables/xtables-arp.c
On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote:
> > */
> I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for
> curiosity, if this condition are triggered. Is it fine like that?
Sure.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
On 2017-04-02 15:19, Eric Dumazet wrote:
On Sun, 2017-04-02 at 04:54 -0700, Eric Dumazet wrote:
On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote:
> Eric Dumazet wrote:
> > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt,
On Sun, 2017-04-02 at 04:54 -0700, Eric Dumazet wrote:
> On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
> > > optlen(opt, i)) {
> > > + for (i = sizeof(struct
On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote:
> Eric Dumazet wrote:
> > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
> > optlen(opt, i)) {
> > + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i +=
> > optlen(opt,
On 2017-04-02 14:45, Florian Westphal wrote:
Eric Dumazet wrote:
- for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt, i)) {
+ for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt, i)) {
if (opt[i]
Eric Dumazet wrote:
> - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
> optlen(opt, i)) {
> + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i +=
> optlen(opt, i)) {
> if (opt[i] == TCPOPT_MSS && opt[i+1] ==
On Sun, 2017-04-02 at 10:43 +0300, Denys Fedoryshchenko wrote:
> Repost, due being sleepy missed few important points.
>
> I am searching reasons of crashes for multiple conntrack enabled
> servers, usually they point to conntrack, but i suspect use after free
> might be somewhere else,
> so i
From: Liping Zhang
We should use proper RCU list APIs to manipulate help->expectations,
as we can dump the conntrack's expectations via nfnetlink, i.e. in
ctnetlink_exp_ct_dump_table(), where only rcu_read_lock is acquired.
So for list traversal, use
From: Liping Zhang
For IPCTNL_MSG_EXP_GET, if the CTA_EXPECT_MASTER attr is specified, then
the NLM_F_DUMP request will dump the expectations related to this
connection tracking.
But we forget to check whether the conntrack has nf_conn_help or not,
so if nfct_help(ct) is
From: Liping Zhang
inet6_dev->addr_list is protected by inet6_dev->lock, so only using
rcu_read_lock is not enough, we should acquire read_lock_bh(>lock)
before the inet6_dev->addr_list traversal.
Signed-off-by: Liping Zhang
---
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch
//
@r@
identifier f;
@@
f(...) { ... }
@@
identifier r.f;
@@
-
+ f
//
Signed-off-by: Arushi Singhal
---
iptables/ip6tables-save.c |
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch
//
@r@
identifier f;
@@
f(...) { ... }
@@
identifier r.f;
@@
-
+ f
//
Signed-off-by: Arushi Singhal
---
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch
//
@r@
identifier f;
@@
f(...) { ... }
@@
identifier r.f;
@@
-
+ f
//
Signed-off-by: Arushi Singhal
---
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch
//
@r@
identifier f;
@@
f(...) { ... }
@@
identifier r.f;
@@
-
+ f
//
Signed-off-by: Arushi Singhal
---
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch
//
@r@
identifier f;
@@
f(...) { ... }
@@
identifier r.f;
@@
-
+ f
//
Signed-off-by: Arushi Singhal
---
Repost, due being sleepy missed few important points.
I am searching reasons of crashes for multiple conntrack enabled
servers, usually they point to conntrack, but i suspect use after free
might be somewhere else,
so i tried to enable KASAN.
And seems i got something after few hours, and it
The structs of the type option are not modified anywhere.
Signed-off-by: Arushi Singhal
---
iptables/ip6tables.c| 2 +-
iptables/iptables-xml.c | 2 +-
iptables/xtables-arp.c | 2 +-
iptables/xtables-eb.c | 2 +-
iptables/xtables.c | 2 +-
5 files
The struct arpmangle_opts of the type option is only used to
initialise a field inside the xtables_target struct and is
not modified anywhere.
Signed-off-by: Arushi Singhal
---
extensions/libarpt_mangle.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
23 matches
Mail list logo