davidlt/kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
561dac2d41
kernel-ark/net/ipv6/netfilter
History
Florian Westphal c6675233f9 netfilter: nf_queue: reject NF_STOLEN verdicts from userspace 
A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak.

This problem was previously fixed via
64507fdbc2 (netfilter:
nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because
NF_STOLEN can also be returned by a netfilter hook when iterating the
rules in nf_reinject.

Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw.

This is complementary to commit fad5444043
(netfilter: avoid double free in nf_reinject).

Cc: Julian Anastasov <ja@ssi.bg>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-08-30 15:01:20 +02:00
..
ip6_queue.c netfilter: nf_queue: reject NF_STOLEN verdicts from userspace 2011-08-30 15:01:20 +02:00
ip6_tables.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2011-04-19 11:24:06 -07:00
ip6t_ah.c
ip6t_eui64.c
ip6t_frag.c
ip6t_hbh.c
ip6t_ipv6header.c
ip6t_LOG.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-02-19 19:17:35 -08:00
ip6t_mh.c
ip6t_REJECT.c netfilter: IPv6: initialize TOS field in REJECT target module 2011-05-10 09:55:44 +02:00
ip6t_rt.c
ip6table_filter.c
ip6table_mangle.c netfilter: ip6table_mangle: Fix set-but-unused variables. 2011-04-17 17:06:15 -07:00
ip6table_raw.c
ip6table_security.c
Kconfig
Makefile
nf_conntrack_l3proto_ipv6.c netfilter: add more values to enum ip_conntrack_info 2011-06-06 01:35:10 +02:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: fix ct refcount leak in l4proto->error() 2011-06-06 01:37:02 +02:00
nf_conntrack_reasm.c
nf_defrag_ipv6_hooks.c Fix common misspellings 2011-03-31 11:26:23 -03:00