[PATCH nf] netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

skb_header_pointer will copy data into a buffer if data is non linear, otherwise it will return a pointer in the linear section of the data. nf_sk_lookup_slow_v{4,6} always copies data of size udphdr but later accesses memory within the size of tcphdr (th->doff) in case of TCP packets. This causes

Re: [PATCH nf-next,RFC] netfilter: nf_conntrack_tcp: reset entry only from CLOSE and TIME_WAIT states

Hi Pablo, On Tue, 20 Mar 2018, Pablo Neira Ayuso wrote: > Before this patch, if TCP state is < TIME_WAIT, we skip this logic. > Along time, we got new states over the TIME_WAIT value, such as > SYN_SENT2, RETRANS and UNACK, that can trigger this conntrack entry > reset, however this check was

Re: [PATCH net-next 2/2] net: Convert nf_ct_net_ops

From: Kirill Tkhai Date: Mon, 19 Mar 2018 14:45:46 +0300 > These pernet_operations register and unregister sysctl. > Also, there is inet_frags_exit_net() called in exit method, > which has to be safe after a560002437d3 "net: Fix hlist > corruptions in inet_evict_bucket()".

Re: [PATCH net-next 1/2] net: Convert lowpan_frags_ops

From: Kirill Tkhai Date: Mon, 19 Mar 2018 14:45:37 +0300 > These pernet_operations register and unregister sysctl. > Also, there is inet_frags_exit_net() called in exit method, > which has to be safe after a560002437d3 "net: Fix hlist > corruptions in inet_evict_bucket()".

Re: [nf-next PATCH] net: nftables: Respect hash set backend features

On Wed, Mar 21, 2018 at 05:44:06PM +0100, Phil Sutter wrote: > On Wed, Mar 21, 2018 at 12:34:53PM +0100, Pablo Neira Ayuso wrote: > > Hi Phil, > > > > On Wed, Mar 21, 2018 at 12:07:53PM +0100, Phil Sutter wrote: > > > Previously, creating a set of type ipv4_addr with timeout flag failed: > > >

[PATCH 2/2 nf] netfilter: nf_tables: do not hold reference on netdevice from preparation phase

The netfilter netdevice event handlers hold the nfnl_lock mutex, this avoid a race with devices going away while a device is being attached to hooks from the netlink control plane. Therefore, control plane bails out with ENOENT or netdevice event path waits until the hook that is attached to

[PATCH 1/2 nf] netfilter: nf_tables: cache device name in flowtable object

Devices going away have to grab the nfnl_lock from the netdev event path to avoid races with control plane updates. However, netlink dumps in netfilter do not hold nfnl_lock mutex. Cache the device name into the objects to avoid an use-after-free situation for a device that is going away.

Re: [PATCH nf] netfilter: drop template ct when conntrack is skipped.

On Thu, Mar 22, 2018 at 11:08:50AM +0100, Paolo Abeni wrote: > The ipv4 nf_ct code currently skips the nf_conntrak_in() call > for fragmented packets. As a results later matches/target can end > up manipulating template ct entry instead of 'real' ones. > > Exploiting the above, syzbot found a way

Re: [PATCH nf] netfilter: drop template ct when conntrack is skipped.

Paolo Abeni wrote: > The ipv4 nf_ct code currently skips the nf_conntrak_in() call > for fragmented packets. As a results later matches/target can end > up manipulating template ct entry instead of 'real' ones. > > Exploiting the above, syzbot found a way to trigger the

[PATCH nf] netfilter: drop template ct when conntrack is skipped.

The ipv4 nf_ct code currently skips the nf_conntrak_in() call for fragmented packets. As a results later matches/target can end up manipulating template ct entry instead of 'real' ones. Exploiting the above, syzbot found a way to trigger the following splat: WARNING: CPU: 1 PID: 4242 at