--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:49 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053546.10231.16864.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:46 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: arp_tables: missing unregistration on module unload
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 6b22b99ecd431b63aece1fa5b1faa01b75a8302e
+tree 7969fd96d4daad6eaf8a10a0659702ca3e404439
+parent 0ef4760e162ea44c847cca7393b36e5bcac5414e
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:43 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:43 +0100
+
+ net/ipv4/netfilter/arp_tables.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/arp_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/arp_tables.c
+@@ -1211,6 +1211,8 @@ err1:
+ static void __exit arp_tables_fini(void)
+ {
+ nf_unregister_sockopt(&arpt_sockopts);
++ xt_unregister_target(&arpt_error_target);
++ xt_unregister_target(&arpt_standard_target);
+ xt_proto_fini(NF_ARP);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:54 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053548.10231.71519.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:48 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Honour source routing for LVS-NAT
+
+For policy routing, packets originating from this machine itself may be
+routed differently to packets passing through. We want this packet to be
+routed as if it came from this machine itself. So re-compute the routing
+information using ip_route_me_harder().
+
+This patch is derived from work by Ken Brownfield
+
+This patch (-stable version) also includes commit
+b4c4ed175ff0ee816df48571cfa9b73f521964b6 ([NETFILTER]: add type parameter
+to ip_route_me_harder), which is a precondition for the fix.
+
+Cc: Ken Brownfield <krb@irridia.com>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit cf08e74a590c945d3c0b95886ea3fad8ff73793d
+tree d5c1a44360bb9a4a2d59e37a9f0dc3c6ce0b6c49
+parent 6b22b99ecd431b63aece1fa5b1faa01b75a8302e
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:11 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:11 +0100
+
+ include/linux/netfilter_ipv4.h | 2 +-
+ net/ipv4/ipvs/ip_vs_core.c | 10 ++++++++++
+ net/ipv4/netfilter.c | 9 ++++++---
+ net/ipv4/netfilter/ip_nat_standalone.c | 3 ++-
+ net/ipv4/netfilter/iptable_mangle.c | 3 ++-
+ 5 files changed, 21 insertions(+), 6 deletions(-)
+
+--- linux-2.6.18.3.orig/include/linux/netfilter_ipv4.h
++++ linux-2.6.18.3/include/linux/netfilter_ipv4.h
+@@ -77,7 +77,7 @@ enum nf_ip_hook_priorities {
+ #define SO_ORIGINAL_DST 80
+
+ #ifdef __KERNEL__
+-extern int ip_route_me_harder(struct sk_buff **pskb);
++extern int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type);
+ extern int ip_xfrm_me_harder(struct sk_buff **pskb);
+ extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol);
+--- linux-2.6.18.3.orig/net/ipv4/ipvs/ip_vs_core.c
++++ linux-2.6.18.3/net/ipv4/ipvs/ip_vs_core.c
+@@ -813,6 +813,16 @@ ip_vs_out(unsigned int hooknum, struct s
+ skb->nh.iph->saddr = cp->vaddr;
+ ip_send_check(skb->nh.iph);
+
++ /* For policy routing, packets originating from this
++ * machine itself may be routed differently to packets
++ * passing through. We want this packet to be routed as
++ * if it came from this machine itself. So re-compute
++ * the routing information.
++ */
++ if (ip_route_me_harder(pskb, RTN_LOCAL) != 0)
++ goto drop;
++ skb = *pskb;
++
+ IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
+
+ ip_vs_out_stats(cp, skb);
+--- linux-2.6.18.3.orig/net/ipv4/netfilter.c
++++ linux-2.6.18.3/net/ipv4/netfilter.c
+@@ -8,7 +8,7 @@
+ #include <net/ip.h>
+
+ /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
+-int ip_route_me_harder(struct sk_buff **pskb)
++int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
+ {
+ struct iphdr *iph = (*pskb)->nh.iph;
+ struct rtable *rt;
+@@ -16,10 +16,13 @@ int ip_route_me_harder(struct sk_buff **
+ struct dst_entry *odst;
+ unsigned int hh_len;
+
++ if (addr_type == RTN_UNSPEC)
++ addr_type = inet_addr_type(iph->saddr);
++
+ /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
+ * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
+ */
+- if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
++ if (addr_type == RTN_LOCAL) {
+ fl.nl_u.ip4_u.daddr = iph->daddr;
+ fl.nl_u.ip4_u.saddr = iph->saddr;
+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
+@@ -156,7 +159,7 @@ static int nf_ip_reroute(struct sk_buff
+ if (!(iph->tos == rt_info->tos
+ && iph->daddr == rt_info->daddr
+ && iph->saddr == rt_info->saddr))
+- return ip_route_me_harder(pskb);
++ return ip_route_me_harder(pskb, RTN_UNSPEC);
+ }
+ return 0;
+ }
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_nat_standalone.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_nat_standalone.c
+@@ -275,7 +275,8 @@ ip_nat_local_fn(unsigned int hooknum,
+ ct->tuplehash[!dir].tuple.src.u.all
+ #endif
+ )
+- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
++ if (ip_route_me_harder(pskb, RTN_UNSPEC))
++ ret = NF_DROP;
+ }
+ return ret;
+ }
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/iptable_mangle.c
++++ linux-2.6.18.3/net/ipv4/netfilter/iptable_mangle.c
+@@ -157,7 +157,8 @@ ipt_local_hook(unsigned int hook,
+ || (*pskb)->nfmark != nfmark
+ #endif
+ || (*pskb)->nh.iph->tos != tos))
+- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
++ if (ip_route_me_harder(pskb, RTN_UNSPEC))
++ ret = NF_DROP;
+
+ return ret;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:05 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053542.10231.61123.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:42 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: ip_tables: compat error way cleanup
+
+This patch adds forgotten compat_flush_offset() call to error way of
+translate_compat_table(). May lead to table corruption on the next
+compat_do_replace().
+
+Signed-off-by: Vasily Averin <vvs@openvz.org>
+Acked-by: Dmitry Mishin <dim@openvz.org>
+Acked-by: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit efb1447a67abac93048ad7af0c59cd9b5a9177a6
+tree 9d56a6e758a3ad0e617f2527ac4b4efdeba5b64a
+parent 4410392a8258fd972fc08a336278b14c82b2774f
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:39 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:39 +0100
+
+ net/ipv4/netfilter/ip_tables.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c
+@@ -1775,6 +1775,7 @@ free_newinfo:
+ out:
+ return ret;
+ out_unlock:
++ compat_flush_offsets();
+ xt_compat_unlock(AF_INET);
+ goto out;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:10 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053544.10231.95904.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:44 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: ip_tables: fix module refcount leaks in compat error paths
+
+Based on patch by myself with additional fixes from Dmitry Mishin <dim@openvz.org>.
+
+Signed-off-by: Dmitry Mishin <dim@openvz.org>
+Acked-by: Vasily Averin <vvs@openvz.org>
+Acked-by: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 94a3d63f9ca6cb404f62ee4186d20fec3e8bdc97
+tree 86873a5eff586598eceabdbe4c042c55f62d4fbc
+parent efb1447a67abac93048ad7af0c59cd9b5a9177a6
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:23:20 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:23:20 +0100
+
+ net/ipv4/netfilter/ip_tables.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c
+@@ -1537,7 +1537,7 @@ check_compat_entry_size_and_hooks(struct
+ ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
+ e->comefrom, &off, &j);
+ if (ret != 0)
+- goto out;
++ goto cleanup_matches;
+
+ t = ipt_get_target(e);
+ target = try_then_request_module(xt_find_target(AF_INET,
+@@ -1547,7 +1547,7 @@ check_compat_entry_size_and_hooks(struct
+ if (IS_ERR(target) || !target) {
+ duprintf("check_entry: `%s' not found\n", t->u.user.name);
+ ret = target ? PTR_ERR(target) : -ENOENT;
+- goto out;
++ goto cleanup_matches;
+ }
+ t->u.kernel.target = target;
+
+@@ -1574,7 +1574,10 @@ check_compat_entry_size_and_hooks(struct
+
+ (*i)++;
+ return 0;
++
+ out:
++ module_put(t->u.kernel.target->me);
++cleanup_matches:
+ IPT_MATCH_ITERATE(e, cleanup_match, &j);
+ return ret;
+ }
+@@ -1597,18 +1600,16 @@ static inline int compat_copy_match_from
+ ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
+ name, hookmask, ip->proto,
+ ip->invflags & IPT_INV_PROTO);
+- if (ret)
+- return ret;
+
+- if (m->u.kernel.match->checkentry
++ if (!ret && m->u.kernel.match->checkentry
+ && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
+ dm->u.match_size - sizeof(*dm),
+ hookmask)) {
+ duprintf("ip_tables: check failed for `%s'.\n",
+ m->u.kernel.match->name);
+- return -EINVAL;
++ ret = -EINVAL;
+ }
+- return 0;
++ return ret;
+ }
+
+ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
+@@ -1630,7 +1631,7 @@ static int compat_copy_entry_from_user(s
+ ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
+ name, &de->ip, de->comefrom);
+ if (ret)
+- goto out;
++ goto err;
+ de->target_offset = e->target_offset - (origsize - *size);
+ t = ipt_get_target(e);
+ target = t->u.kernel.target;
+@@ -1653,22 +1654,22 @@ static int compat_copy_entry_from_user(s
+ name, e->comefrom, e->ip.proto,
+ e->ip.invflags & IPT_INV_PROTO);
+ if (ret)
+- goto out;
++ goto err;
+
+ ret = -EINVAL;
+ if (t->u.kernel.target == &ipt_standard_target) {
+ if (!standard_check(t, *size))
+- goto out;
++ goto err;
+ } else if (t->u.kernel.target->checkentry
+ && !t->u.kernel.target->checkentry(name, de, target,
+ t->data, t->u.target_size - sizeof(*t),
+ de->comefrom)) {
+ duprintf("ip_tables: compat: check failed for `%s'.\n",
+ t->u.kernel.target->name);
+- goto out;
++ goto err;
+ }
+ ret = 0;
+-out:
++ err:
+ return ret;
+ }
+
+@@ -1682,7 +1683,7 @@ translate_compat_table(const char *name,
+ unsigned int *hook_entries,
+ unsigned int *underflows)
+ {
+- unsigned int i;
++ unsigned int i, j;
+ struct xt_table_info *newinfo, *info;
+ void *pos, *entry0, *entry1;
+ unsigned int size;
+@@ -1700,21 +1701,21 @@ translate_compat_table(const char *name,
+ }
+
+ duprintf("translate_compat_table: size %u\n", info->size);
+- i = 0;
++ j = 0;
+ xt_compat_lock(AF_INET);
+ /* Walk through entries, checking offsets. */
+ ret = IPT_ENTRY_ITERATE(entry0, total_size,
+ check_compat_entry_size_and_hooks,
+ info, &size, entry0,
+ entry0 + total_size,
+- hook_entries, underflows, &i, name);
++ hook_entries, underflows, &j, name);
+ if (ret != 0)
+ goto out_unlock;
+
+ ret = -EINVAL;
+- if (i != number) {
++ if (j != number) {
+ duprintf("translate_compat_table: %u not %u entries\n",
+- i, number);
++ j, number);
+ goto out_unlock;
+ }
+
+@@ -1773,6 +1774,7 @@ translate_compat_table(const char *name,
+ free_newinfo:
+ xt_free_table_info(newinfo);
+ out:
++ IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
+ return ret;
+ out_unlock:
+ compat_flush_offsets();
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:53 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053549.10231.57261.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:49 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Kconfig: fix xt_physdev dependencies
+
+xt_physdev depends on bridge netfilter, which is a boolean, but can still
+be built modular because of special handling in the bridge makefile. Add
+a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit ca6adddd237afa4910bab5e9e8ba0685f37c2bfe
+tree 45c88fae3ec75a90ffac423906e662bdb36e8251
+parent cf08e74a590c945d3c0b95886ea3fad8ff73793d
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:31 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:31 +0100
+
+ net/netfilter/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.18.3.orig/net/netfilter/Kconfig
++++ linux-2.6.18.3/net/netfilter/Kconfig
+@@ -342,7 +342,7 @@ config NETFILTER_XT_MATCH_MULTIPORT
+
+ config NETFILTER_XT_MATCH_PHYSDEV
+ tristate '"physdev" match support'
+- depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
++ depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
+ help
+ Physdev packet matching matches against the physical bridge ports
+ the IP packet arrived on or will leave by.
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:15 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053545.10231.94652.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:45 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Missed and reordered checks in {arp, ip, ip6}_tables
+
+There is a number of issues in parsing user-provided table in
+translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
+passing special-crafted table to the *_tables.
+
+The first issue is that mark_source_chains() function is called before entry
+content checks. In case of standard target, mark_source_chains() function
+uses t->verdict field in order to determine new position. But the check, that
+this field leads no further, than the table end, is in check_entry(), which
+is called later, than mark_source_chains().
+
+The second issue, that there is no check that target_offset points inside
+entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
+ends. As a result, we'll have oops or memory disclosure.
+
+And the third issue, that there is no check that the target is completely
+inside entry. Results are the same, as in previous issue.
+
+Signed-off-by: Dmitry Mishin <dim@openvz.org>
+Acked-by: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 0ef4760e162ea44c847cca7393b36e5bcac5414e
+tree 7036ce51d75aaf46d5c4abca281956c39caced10
+parent 94a3d63f9ca6cb404f62ee4186d20fec3e8bdc97
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:10 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:10 +0100
+
+ net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++---------
+ net/ipv4/netfilter/ip_tables.c | 30 ++++++++++++++++++++++--------
+ net/ipv6/netfilter/ip6_tables.c | 24 ++++++++++++++++--------
+ 3 files changed, 54 insertions(+), 25 deletions(-)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/arp_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/arp_tables.c
+@@ -471,7 +471,13 @@ static inline int check_entry(struct arp
+ return -EINVAL;
+ }
+
++ if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
++ return -EINVAL;
++
+ t = arpt_get_target(e);
++ if (e->target_offset + t->u.target_size > e->next_offset)
++ return -EINVAL;
++
+ target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
+ t->u.user.revision),
+ "arpt_%s", t->u.user.name);
+@@ -629,20 +635,18 @@ static int translate_table(const char *n
+ }
+ }
+
+- if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+- duprintf("Looping hook\n");
+- return -ELOOP;
+- }
+-
+ /* Finally, each sanity check must pass */
+ i = 0;
+ ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
+ check_entry, name, size, &i);
+
+- if (ret != 0) {
+- ARPT_ENTRY_ITERATE(entry0, newinfo->size,
+- cleanup_entry, &i);
+- return ret;
++ if (ret != 0)
++ goto cleanup;
++
++ ret = -ELOOP;
++ if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
++ duprintf("Looping hook\n");
++ goto cleanup;
+ }
+
+ /* And one copy for every other CPU */
+@@ -651,6 +655,9 @@ static int translate_table(const char *n
+ memcpy(newinfo->entries[i], entry0, newinfo->size);
+ }
+
++ return 0;
++cleanup:
++ ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
+ return ret;
+ }
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c
+@@ -552,12 +552,18 @@ check_entry(struct ipt_entry *e, const c
+ return -EINVAL;
+ }
+
++ if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
++ return -EINVAL;
++
+ j = 0;
+ ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
+ if (ret != 0)
+ goto cleanup_matches;
+
+ t = ipt_get_target(e);
++ ret = -EINVAL;
++ if (e->target_offset + t->u.target_size > e->next_offset)
++ goto cleanup_matches;
+ target = try_then_request_module(xt_find_target(AF_INET,
+ t->u.user.name,
+ t->u.user.revision),
+@@ -720,19 +726,17 @@ translate_table(const char *name,
+ }
+ }
+
+- if (!mark_source_chains(newinfo, valid_hooks, entry0))
+- return -ELOOP;
+-
+ /* Finally, each sanity check must pass */
+ i = 0;
+ ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
+ check_entry, name, size, &i);
+
+- if (ret != 0) {
+- IPT_ENTRY_ITERATE(entry0, newinfo->size,
+- cleanup_entry, &i);
+- return ret;
+- }
++ if (ret != 0)
++ goto cleanup;
++
++ ret = -ELOOP;
++ if (!mark_source_chains(newinfo, valid_hooks, entry0))
++ goto cleanup;
+
+ /* And one copy for every other CPU */
+ for_each_possible_cpu(i) {
+@@ -740,6 +744,9 @@ translate_table(const char *name,
+ memcpy(newinfo->entries[i], entry0, newinfo->size);
+ }
+
++ return 0;
++cleanup:
++ IPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
+ return ret;
+ }
+
+@@ -1531,6 +1538,10 @@ check_compat_entry_size_and_hooks(struct
+ return -EINVAL;
+ }
+
++ if (e->target_offset + sizeof(struct compat_xt_entry_target) >
++ e->next_offset)
++ return -EINVAL;
++
+ off = 0;
+ entry_offset = (void *)e - (void *)base;
+ j = 0;
+@@ -1540,6 +1551,9 @@ check_compat_entry_size_and_hooks(struct
+ goto cleanup_matches;
+
+ t = ipt_get_target(e);
++ ret = -EINVAL;
++ if (e->target_offset + t->u.target_size > e->next_offset)
++ goto cleanup_matches;
+ target = try_then_request_module(xt_find_target(AF_INET,
+ t->u.user.name,
+ t->u.user.revision),
+--- linux-2.6.18.3.orig/net/ipv6/netfilter/ip6_tables.c
++++ linux-2.6.18.3/net/ipv6/netfilter/ip6_tables.c
+@@ -592,12 +592,19 @@ check_entry(struct ip6t_entry *e, const
+ return -EINVAL;
+ }
+
++ if (e->target_offset + sizeof(struct ip6t_entry_target) >
++ e->next_offset)
++ return -EINVAL;
++
+ j = 0;
+ ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
+ if (ret != 0)
+ goto cleanup_matches;
+
+ t = ip6t_get_target(e);
++ ret = -EINVAL;
++ if (e->target_offset + t->u.target_size > e->next_offset)
++ goto cleanup_matches;
+ target = try_then_request_module(xt_find_target(AF_INET6,
+ t->u.user.name,
+ t->u.user.revision),
+@@ -760,19 +767,17 @@ translate_table(const char *name,
+ }
+ }
+
+- if (!mark_source_chains(newinfo, valid_hooks, entry0))
+- return -ELOOP;
+-
+ /* Finally, each sanity check must pass */
+ i = 0;
+ ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+ check_entry, name, size, &i);
+
+- if (ret != 0) {
+- IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+- cleanup_entry, &i);
+- return ret;
+- }
++ if (ret != 0)
++ goto cleanup;
++
++ ret = -ELOOP;
++ if (!mark_source_chains(newinfo, valid_hooks, entry0))
++ goto cleanup;
+
+ /* And one copy for every other CPU */
+ for_each_possible_cpu(i) {
+@@ -780,6 +785,9 @@ translate_table(const char *name,
+ memcpy(newinfo->entries[i], entry0, newinfo->size);
+ }
+
++ return 0;
++cleanup:
++ IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
+ return ret;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:40:01 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053541.10231.82376.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:41 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer
+
+The 32bit compatibility layer has no CAP_NET_ADMIN check in
+compat_do_ipt_get_ctl, which for example allows to list the current
+iptables rules even without having that capability (the non-compat
+version requires it). Other capabilities might be required to exploit
+the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user
+can't exploit it, but a setup actually using the posix capability system
+might very well hit such a constellation of granted capabilities.
+
+Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 4410392a8258fd972fc08a336278b14c82b2774f
+tree 567261d003b2a8fb08c2d89d0d708dd06f357f49
+parent b4d854665eafe32b48e0eecadb91a73f6eea0055
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100
+
+ net/ipv4/netfilter/ip_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c
+@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i
+ {
+ int ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+ ret = get_info(user, len, 1);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 16 21:41:03 2006
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20061117053550.10231.53961.sendpatchset@localhost.localdomain>
+Date: Fri, 17 Nov 2006 06:35:50 +0100 (MET)
+Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: xt_CONNSECMARK: fix Kconfig dependencies
+
+CONNSECMARK needs conntrack, add missing dependency to fix linking error
+with CONNSECMARK=y and CONNTRACK=m.
+
+Reported by Toralf Förster <toralf.foerster@gmx.de>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 7f013c33ba2b02614c856d715b65d858bc1ec47f
+tree 7ba757cfe1e953e47726bdcf956c16d07d94aa6e
+parent ca6adddd237afa4910bab5e9e8ba0685f37c2bfe
+author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:54 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:54 +0100
+
+ net/netfilter/Kconfig | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- linux-2.6.18.3.orig/net/netfilter/Kconfig
++++ linux-2.6.18.3/net/netfilter/Kconfig
+@@ -197,7 +197,9 @@ config NETFILTER_XT_TARGET_SECMARK
+
+ config NETFILTER_XT_TARGET_CONNSECMARK
+ tristate '"CONNSECMARK" target support'
+- depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
++ depends on NETFILTER_XTABLES && \
++ ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \
++ (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK))
+ help
+ The CONNSECMARK target copies security markings from packets
+ to connections, and restores security markings from connections
--- /dev/null
+netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch
+netfilter-ip_tables-compat-error-way-cleanup.patch
+netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch
+netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch
+netfilter-arp_tables-missing-unregistration-on-module-unload.patch
+netfilter-kconfig-fix-xt_physdev-dependencies.patch
+netfilter-honour-source-routing-for-lvs-nat.patch
+netfilter-xt_connsecmark-fix-kconfig-dependencies.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
