linux/net/ipv4/netfilter, branch v2.6.19

[NETFILTER]: ipt_REJECT: fix memory corruption

2006-11-29T04:59:38Z

On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder() reallocates the skb, leading to memory corruption when using the stale tcph pointer to update the checksum. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: conntrack: fix refcount leak when finding expectation

2006-11-29T04:59:37Z

All users of __{ip,nf}_conntrack_expect_find() don't expect that it increments the reference count of expectation. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: ctnetlink: fix reference count leak

2006-11-29T04:59:36Z

When NFA_NEST exceeds the skb size the protocol reference is leaked. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT

2006-11-25T23:16:47Z

H.323 connection tracking code calls ip_ct_refresh_acct() when processing RCFs and URQs but passes NULL as the skb. When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries to derefence the skb, which results in an obvious panic. A similar fix was applied on the SIP connection tracking code some time ago. Signed-off-by: Faidon Liambotis Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Use pskb_trim in {ip,ip6,nfnetlink}_queue

2006-11-16T05:18:48Z

Based on patch by James D. Nurmi: I've got some code very dependant on nfnetlink_queue, and turned up a large number of warns coming from skb_trim. While it's quite possibly my code, having not seen it on older kernels made me a bit suspect. Anyhow, based on some googling I turned up this thread: http://lkml.org/lkml/2006/8/13/56 And believe the issue to be related, so attached is a small patch to the kernel -- not sure if this is completely correct, but for anyone else hitting the WARN_ON(1) in skbuff.h, it might be helpful.. Signed-off-by: James D. Nurmi Ported to ip6_queue and nfnetlink_queue and added return value checks. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: ip_tables: compat code module refcounting fix

2006-10-30T23:24:47Z

This patch fixes bug in iptables modules refcounting on compat error way. As we are getting modules in check_compat_entry_size_and_hooks(), in case of later error, we should put them all in translate_compat_table(), not in the compat_copy_entry_from_user() or compat_copy_match_from_user(), as it is now. Signed-off-by: Dmitry Mishin Acked-by: Vasily Averin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: ip_tables: compat error way cleanup

2006-10-30T23:24:45Z

This patch adds forgotten compat_flush_offset() call to error way of translate_compat_table(). May lead to table corruption on the next compat_do_replace(). Signed-off-by: Vasily Averin Acked-by: Dmitry Mishin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables

2006-10-30T23:24:44Z

There is a number of issues in parsing user-provided table in translate_table(). Malicious user with CAP_NET_ADMIN may crash system by passing special-crafted table to the *_tables. The first issue is that mark_source_chains() function is called before entry content checks. In case of standard target, mark_source_chains() function uses t->verdict field in order to determine new position. But the check, that this field leads no further, than the table end, is in check_entry(), which is called later, than mark_source_chains(). The second issue, that there is no check that target_offset points inside entry. If so, *_ITERATE_MATCH macro will follow further, than the entry ends. As a result, we'll have oops or memory disclosure. And the third issue, that there is no check that the target is completely inside entry. Results are the same, as in previous issue. Signed-off-by: Dmitry Mishin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Missing check for CAP_NET_ADMIN in iptables compat layer

2006-10-20T07:21:10Z

The 32bit compatibility layer has no CAP_NET_ADMIN check in compat_do_ipt_get_ctl, which for example allows to list the current iptables rules even without having that capability (the non-compat version requires it). Other capabilities might be required to exploit the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user can't exploit it, but a setup actually using the posix capability system might very well hit such a constellation of granted capabilities. Signed-off-by: Björn Steinbrink Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: ctnetlink: Remove debugging messages

2006-10-16T06:14:11Z

Remove (compilation-breaking) debugging messages introduced at early development stage. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller