[PATCH V3] netfilter: x_tables: Fix use-after-free in ipt_do_table.

If verdict is NF_STOLEN in the SYNPROXY target, the skb is consumed. However, ipt_do_table() always tries to get ip header from the skb. So that, KASAN triggers the use-after-free message. We can reproduce this message using below command. # iptables -I INPUT -p tcp -j SYNPROXY --mss 1460 [

Re: [PATCH V2] netfilter: x_tables: Fix use-after-free in ipt_do_table.

2017-07-26 20:06 GMT+09:00 Pablo Neira Ayuso : > On Wed, Jul 26, 2017 at 11:27:16AM +0200, Florian Westphal wrote: >> Taehee Yoo wrote: >> > If verdict is NF_STOLEN in the SYNPROXY target, >> > the skb is consumed. >> > However, ipt_do_table() always tries

Re: [nft PATCH 2/6] monitor: Fix printing of set declarations

On Wed, Jul 26, 2017 at 01:18:03PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jul 25, 2017 at 07:09:34PM +0200, Phil Sutter wrote: > > On Tue, Jul 25, 2017 at 05:57:41PM +0200, Pablo Neira Ayuso wrote: > > > On Tue, Jul 25, 2017 at 04:56:25PM +0200, Phil Sutter wrote: > > > > diff --git

Re: [PATCH nf-next] netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases

On Wed, Jul 26, 2017 at 01:15:06PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jul 26, 2017 at 02:09:41AM +0200, Florian Westphal wrote: > [...] > > @@ -144,7 +159,9 @@ static int nft_rbtree_insert(const struct net *net, > > const struct nft_set *set, > > int err; > > > >

Re: [nft PATCH 2/6] monitor: Fix printing of set declarations

On Tue, Jul 25, 2017 at 07:09:34PM +0200, Phil Sutter wrote: > On Tue, Jul 25, 2017 at 05:57:41PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Jul 25, 2017 at 04:56:25PM +0200, Phil Sutter wrote: > > > diff --git a/tests/monitor/testcases/set-maps.t > > > b/tests/monitor/testcases/set-maps.t > > >

Re: [PATCH nf-next] netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases

On Wed, Jul 26, 2017 at 02:09:41AM +0200, Florian Westphal wrote: [...] > @@ -144,7 +159,9 @@ static int nft_rbtree_insert(const struct net *net, const > struct nft_set *set, > int err; > > write_lock_bh(>lock); > + write_seqcount_begin(>count); > err =

Re: [PATCH nf-next] netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases

Eric Dumazet wrote: > On Wed, 2017-07-26 at 02:09 +0200, Florian Westphal wrote: > > switch to lockless lockup. write side now also increments sequence > > counter. On lookup, sample counter value and only take the lock > > if we did not find a match and the counter has

Re: [PATCH nf-next] netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases

On Wed, 2017-07-26 at 02:09 +0200, Florian Westphal wrote: > switch to lockless lockup. write side now also increments sequence > counter. On lookup, sample counter value and only take the lock > if we did not find a match and the counter has changed. > > This avoids need to write to private