skb_header_pointer will copy data into a buffer if data is non linear,
otherwise it will return a pointer in the linear section of the data.
nf_sk_lookup_slow_v{4,6} always copies data of size udphdr but later
accesses memory within the size of tcphdr (th->doff) in case of TCP
packets. This causes
Hi Pablo,
On Tue, 20 Mar 2018, Pablo Neira Ayuso wrote:
> Before this patch, if TCP state is < TIME_WAIT, we skip this logic.
> Along time, we got new states over the TIME_WAIT value, such as
> SYN_SENT2, RETRANS and UNACK, that can trigger this conntrack entry
> reset, however this check was
From: Kirill Tkhai
Date: Mon, 19 Mar 2018 14:45:46 +0300
> These pernet_operations register and unregister sysctl.
> Also, there is inet_frags_exit_net() called in exit method,
> which has to be safe after a560002437d3 "net: Fix hlist
> corruptions in inet_evict_bucket()".
From: Kirill Tkhai
Date: Mon, 19 Mar 2018 14:45:37 +0300
> These pernet_operations register and unregister sysctl.
> Also, there is inet_frags_exit_net() called in exit method,
> which has to be safe after a560002437d3 "net: Fix hlist
> corruptions in inet_evict_bucket()".
On Wed, Mar 21, 2018 at 05:44:06PM +0100, Phil Sutter wrote:
> On Wed, Mar 21, 2018 at 12:34:53PM +0100, Pablo Neira Ayuso wrote:
> > Hi Phil,
> >
> > On Wed, Mar 21, 2018 at 12:07:53PM +0100, Phil Sutter wrote:
> > > Previously, creating a set of type ipv4_addr with timeout flag failed:
> > >
The netfilter netdevice event handlers hold the nfnl_lock mutex, this
avoid a race with devices going away while a device is being attached to
hooks from the netlink control plane. Therefore, control plane bails
out with ENOENT or netdevice event path waits until the hook that is
attached to
Devices going away have to grab the nfnl_lock from the netdev event path
to avoid races with control plane updates.
However, netlink dumps in netfilter do not hold nfnl_lock mutex. Cache
the device name into the objects to avoid an use-after-free situation
for a device that is going away.
On Thu, Mar 22, 2018 at 11:08:50AM +0100, Paolo Abeni wrote:
> The ipv4 nf_ct code currently skips the nf_conntrak_in() call
> for fragmented packets. As a results later matches/target can end
> up manipulating template ct entry instead of 'real' ones.
>
> Exploiting the above, syzbot found a way
Paolo Abeni wrote:
> The ipv4 nf_ct code currently skips the nf_conntrak_in() call
> for fragmented packets. As a results later matches/target can end
> up manipulating template ct entry instead of 'real' ones.
>
> Exploiting the above, syzbot found a way to trigger the
The ipv4 nf_ct code currently skips the nf_conntrak_in() call
for fragmented packets. As a results later matches/target can end
up manipulating template ct entry instead of 'real' ones.
Exploiting the above, syzbot found a way to trigger the following
splat:
WARNING: CPU: 1 PID: 4242 at
10 matches
Mail list logo