--- /dev/null
+From 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 6 Dec 2014 16:49:24 +0300
+Subject: ipvs: uninitialized data with IP_VS_IPV6
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f upstream.
+
+The app_tcp_pkt_out() function expects "*diff" to be set and ends up
+using uninitialized data if CONFIG_IP_VS_IPV6 is turned on.
+
+The same issue is there in app_tcp_pkt_in(). Thanks to Julian Anastasov
+for noticing that.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_ftp.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ftp.c
++++ b/net/netfilter/ipvs/ip_vs_ftp.c
+@@ -183,6 +183,8 @@ static int ip_vs_ftp_out(struct ip_vs_ap
+ struct nf_conn *ct;
+ struct net *net;
+
++ *diff = 0;
++
+ #ifdef CONFIG_IP_VS_IPV6
+ /* This application helper doesn't work with IPv6 yet,
+ * so turn this into a no-op for IPv6 packets
+@@ -191,8 +193,6 @@ static int ip_vs_ftp_out(struct ip_vs_ap
+ return 1;
+ #endif
+
+- *diff = 0;
+-
+ /* Only useful for established sessions */
+ if (cp->state != IP_VS_TCP_S_ESTABLISHED)
+ return 1;
+@@ -321,6 +321,9 @@ static int ip_vs_ftp_in(struct ip_vs_app
+ struct ip_vs_conn *n_cp;
+ struct net *net;
+
++ /* no diff required for incoming packets */
++ *diff = 0;
++
+ #ifdef CONFIG_IP_VS_IPV6
+ /* This application helper doesn't work with IPv6 yet,
+ * so turn this into a no-op for IPv6 packets
+@@ -329,9 +332,6 @@ static int ip_vs_ftp_in(struct ip_vs_app
+ return 1;
+ #endif
+
+- /* no diff required for incoming packets */
+- *diff = 0;
+-
+ /* Only useful for established sessions */
+ if (cp->state != IP_VS_TCP_S_ESTABLISHED)
+ return 1;
--- /dev/null
+From 9ea2aa8b7dba9e99544c4187cc298face254569f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 4 Jan 2015 15:20:29 +0100
+Subject: netfilter: nfnetlink: validate nfnetlink header from batch
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream.
+
+Make sure there is enough room for the nfnetlink header in the
+netlink messages that are part of the batch. There is a similar
+check in netlink_rcv_skb().
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -265,7 +265,8 @@ replay:
+ nlh = nlmsg_hdr(skb);
+ err = 0;
+
+- if (nlh->nlmsg_len < NLMSG_HDRLEN) {
++ if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
++ skb->len < nlh->nlmsg_len) {
+ err = -EINVAL;
+ goto ack;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
