summaryrefslogtreecommitdiffstats
path: root/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch')
-rw-r--r--0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch69
1 files changed, 0 insertions, 69 deletions
diff --git a/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch b/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
deleted file mode 100644
index a5af1a3e9..000000000
--- a/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Tue, 29 Nov 2016 02:17:34 +0100
-Subject: [PATCH] netfilter: ipv6: nf_defrag: drop mangled skb on ream error
-
-Dmitry Vyukov reported GPF in network stack that Andrey traced down to
-negative nh offset in nf_ct_frag6_queue().
-
-Problem is that all network headers before fragment header are pulled.
-Normal ipv6 reassembly will drop the skb when errors occur further down
-the line.
-
-netfilter doesn't do this, and instead passed the original fragment
-along. That was also fine back when netfilter ipv6 defrag worked with
-cloned fragments, as the original, pristine fragment was passed on.
-
-So we either have to undo the pull op, or discard such fragments.
-Since they're malformed after all (e.g. overlapping fragment) it seems
-preferrable to just drop them.
-
-Same for temporary errors -- it doesn't make sense to accept (and
-perhaps forward!) only some fragments of same datagram.
-
-Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Debugged-by: Andrey Konovalov <andreyknvl@google.com>
-Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet@google.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++--
- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
-index e4347ae..9948b5c 100644
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
- /* Jumbo payload inhibits frag. header */
- if (ipv6_hdr(skb)->payload_len == 0) {
- pr_debug("payload len = 0\n");
-- return -EINVAL;
-+ return 0;
- }
-
- if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
-- return -EINVAL;
-+ return 0;
-
- if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
- return -ENOMEM;
-diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
-index f7aab5a..f06b047 100644
---- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
-+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
-@@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv,
- if (err == -EINPROGRESS)
- return NF_STOLEN;
-
-- return NF_ACCEPT;
-+ return err == 0 ? NF_ACCEPT : NF_DROP;
- }
-
- static struct nf_hook_ops ipv6_defrag_ops[] = {
---
-2.9.3
-
generated by cgit (git 2.34.1) at 2024-05-20 07:47:24 +0000