[PATCH] netfilter: add overflow checks in xt_bpf.c

match") Signed-off-by: Jann Horn --- net/netfilter/xt_bpf.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c index 041da0d9c06f..1f7fbd3c7e5a 100644 --- a/net/netfilter/xt_bpf.c +++ b/net/netfilter/xt_bpf.c @@ -27,6 +27,9 @@

Re: [PATCH] netfilter: add overflow checks in xt_bpf.c

On Fri, Dec 1, 2017 at 5:04 AM, Willem de Bruijn wrote: > On Thu, Nov 30, 2017 at 7:46 PM, Jann Horn wrote: >> Check whether inputs from userspace are too long (explicit length field too >> big or string not null-terminated) to avoid out-of-bounds reads. >> >> As far

Re: linux-next: manual merge of the vfs tree with the netfilter tree

On Thu, Dec 7, 2017 at 1:10 AM, Stephen Rothwell wrote: > Hi Al, > > Today's linux-next merge of the vfs tree got a conflict in: > > net/netfilter/xt_bpf.c > > between commit: > > 6ab405114b0b ("netfilter: xt_bpf: add overflow checks") > > from the netfilter tree and commit: > > af58d2496b49

[PATCH net] netfilter: nf_log: fix uninit read in nf_log_proc_dostring

When proc_dostring() is called with a non-zero offset in strict mode, it doesn't just write to the ->data buffer, it also reads. Make sure it doesn't read uninitialized data. Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]") Signed-off-by: Jann H

[PATCH net] netfilter: nf_log: don't hold nf_log_mutex during user access

ction called from invalid context"), which changed this code from using rcu_read_lock() to taking nf_log_mutex. Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]") Signed-off-by: Jann Horn --- net/netfilter/nf_log.c | 9 ++--- 1 file changed, 6 insert

[PATCH] netfilter: fix namespace handling in nf_log_proc_dostring

ot;NONE"; if (write(stolen_fd, data, strlen(data)) != strlen(data)) err(1, "write"); return 0; } Repro: $ gcc -Wall -o attack attack.c -std=gnu99 $ cat /proc/sys/net/netfilter/nf_log/2 nf_log_ipv4 $ ./attack $ cat /proc/sys/net/netfilter/nf_log/2 NONE

[PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

This prevents the modification of nf_conntrack_max in unprivileged network namespaces. For unprivileged network namespaces, ip_conntrack_max is kept as a readonly sysctl in order to minimize potential compatibility issues. This patch should apply cleanly to the net tree. Signed-off-by: Jann Horn

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote: > From: Pablo Neira Ayuso > Date: Thu, 20 Oct 2016 20:22:24 +0200 > > > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: > >> This prevents the modification of nf_conntrack_max in unprivileged netw

Re: nft/bpf interpreters and spectre2. Was: [PATCH RFC 0/4] net: add bpfilter

[resend as plaintext, apparently mobile gmail will send HTML mails] On Thu, Feb 22, 2018 at 3:20 AM, Alexei Starovoitov wrote: > On Wed, Feb 21, 2018 at 01:13:03PM +0100, Florian Westphal wrote: >> >> Obvious candidates are: meta, numgen, limit, objref, quota, reject. >> >> We should probably als