releases/4.9.70/fix-handling-of-verdicts-after-nf_queue.patch

   1 From dbanerje@akamai.com  Thu Dec 14 18:38:57 2017
   2 From: Debabrata Banerjee <dbanerje@akamai.com>
   3 Date: Wed, 13 Dec 2017 15:33:37 -0500
   4 Subject: Fix handling of verdicts after NF_QUEUE
   5 To: Pablo Neira Ayuso <pablo@netfilter.org>
   6 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, "David S . Miller" <davem@davemloft.net>, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, stable@vger.kernel.org, dbanerje@akamai.com
   7 Message-ID: <20171213203337.314-1-dbanerje@akamai.com>
   8
   9 From: Debabrata Banerjee <dbanerje@akamai.com>
  10
  11 [This fix is only needed for v4.9 stable since v4.10+ does not have the issue]
  12
  13 A verdict of NF_STOLEN after NF_QUEUE will cause an incorrect return value
  14 and a potential kernel panic via double free of skb's
  15
  16 This was broken by commit 7034b566a4e7 ("netfilter: fix nf_queue handling")
  17 and subsequently fixed in v4.10 by commit c63cbc460419 ("netfilter:
  18 use switch() to handle verdict cases from nf_hook_slow()"). However that
  19 commit cannot be cleanly cherry-picked to v4.9
  20
  21 Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
  22 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
  23
  24 ---
  25  net/netfilter/core.c |    5 +++++
  26  1 file changed, 5 insertions(+)
  27
  28 --- a/net/netfilter/core.c
  29 +++ b/net/netfilter/core.c
  30 @@ -364,6 +364,11 @@ next_hook:
  31                 ret = nf_queue(skb, state, &entry, verdict);
  32                 if (ret == 1 && entry)
  33                         goto next_hook;
  34 +       } else {
  35 +               /* Implicit handling for NF_STOLEN, as well as any other
  36 +                * non conventional verdicts.
  37 +                */
  38 +               ret = 0;
  39         }
  40         return ret;
  41  }