From: Chris Wright Date: Fri, 17 Nov 2006 07:00:50 +0000 (-0800) Subject: netfilter patches queued for next -stable X-Git-Tag: v2.6.18.3~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=114bc7832f66ded105bf465ef550e3655f15814d;p=thirdparty%2Fkernel%2Fstable-queue.git netfilter patches queued for next -stable --- diff --git a/queue-2.6.18/netfilter-arp_tables-missing-unregistration-on-module-unload.patch b/queue-2.6.18/netfilter-arp_tables-missing-unregistration-on-module-unload.patch new file mode 100644 index 00000000000..68a46289464 --- /dev/null +++ b/queue-2.6.18/netfilter-arp_tables-missing-unregistration-on-module-unload.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:49 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053546.10231.16864.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:46 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: arp_tables: missing unregistration on module unload + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit 6b22b99ecd431b63aece1fa5b1faa01b75a8302e +tree 7969fd96d4daad6eaf8a10a0659702ca3e404439 +parent 0ef4760e162ea44c847cca7393b36e5bcac5414e +author Patrick McHardy Fri, 17 Nov 2006 06:24:43 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:24:43 +0100 + + net/ipv4/netfilter/arp_tables.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/arp_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/arp_tables.c +@@ -1211,6 +1211,8 @@ err1: + static void __exit arp_tables_fini(void) + { + nf_unregister_sockopt(&arpt_sockopts); ++ xt_unregister_target(&arpt_error_target); ++ xt_unregister_target(&arpt_standard_target); + xt_proto_fini(NF_ARP); + } + diff --git a/queue-2.6.18/netfilter-honour-source-routing-for-lvs-nat.patch b/queue-2.6.18/netfilter-honour-source-routing-for-lvs-nat.patch new file mode 100644 index 00000000000..e8142eabe2e --- /dev/null +++ b/queue-2.6.18/netfilter-honour-source-routing-for-lvs-nat.patch @@ -0,0 +1,128 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:54 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053548.10231.71519.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:48 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Honour source routing for LVS-NAT + +For policy routing, packets originating from this machine itself may be +routed differently to packets passing through. We want this packet to be +routed as if it came from this machine itself. So re-compute the routing +information using ip_route_me_harder(). + +This patch is derived from work by Ken Brownfield + +This patch (-stable version) also includes commit +b4c4ed175ff0ee816df48571cfa9b73f521964b6 ([NETFILTER]: add type parameter +to ip_route_me_harder), which is a precondition for the fix. + +Cc: Ken Brownfield +Signed-off-by: Simon Horman +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit cf08e74a590c945d3c0b95886ea3fad8ff73793d +tree d5c1a44360bb9a4a2d59e37a9f0dc3c6ce0b6c49 +parent 6b22b99ecd431b63aece1fa5b1faa01b75a8302e +author Patrick McHardy Fri, 17 Nov 2006 06:25:11 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:25:11 +0100 + + include/linux/netfilter_ipv4.h | 2 +- + net/ipv4/ipvs/ip_vs_core.c | 10 ++++++++++ + net/ipv4/netfilter.c | 9 ++++++--- + net/ipv4/netfilter/ip_nat_standalone.c | 3 ++- + net/ipv4/netfilter/iptable_mangle.c | 3 ++- + 5 files changed, 21 insertions(+), 6 deletions(-) + +--- linux-2.6.18.3.orig/include/linux/netfilter_ipv4.h ++++ linux-2.6.18.3/include/linux/netfilter_ipv4.h +@@ -77,7 +77,7 @@ enum nf_ip_hook_priorities { + #define SO_ORIGINAL_DST 80 + + #ifdef __KERNEL__ +-extern int ip_route_me_harder(struct sk_buff **pskb); ++extern int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type); + extern int ip_xfrm_me_harder(struct sk_buff **pskb); + extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook, + unsigned int dataoff, u_int8_t protocol); +--- linux-2.6.18.3.orig/net/ipv4/ipvs/ip_vs_core.c ++++ linux-2.6.18.3/net/ipv4/ipvs/ip_vs_core.c +@@ -813,6 +813,16 @@ ip_vs_out(unsigned int hooknum, struct s + skb->nh.iph->saddr = cp->vaddr; + ip_send_check(skb->nh.iph); + ++ /* For policy routing, packets originating from this ++ * machine itself may be routed differently to packets ++ * passing through. We want this packet to be routed as ++ * if it came from this machine itself. So re-compute ++ * the routing information. ++ */ ++ if (ip_route_me_harder(pskb, RTN_LOCAL) != 0) ++ goto drop; ++ skb = *pskb; ++ + IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT"); + + ip_vs_out_stats(cp, skb); +--- linux-2.6.18.3.orig/net/ipv4/netfilter.c ++++ linux-2.6.18.3/net/ipv4/netfilter.c +@@ -8,7 +8,7 @@ + #include + + /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ +-int ip_route_me_harder(struct sk_buff **pskb) ++int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type) + { + struct iphdr *iph = (*pskb)->nh.iph; + struct rtable *rt; +@@ -16,10 +16,13 @@ int ip_route_me_harder(struct sk_buff ** + struct dst_entry *odst; + unsigned int hh_len; + ++ if (addr_type == RTN_UNSPEC) ++ addr_type = inet_addr_type(iph->saddr); ++ + /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause + * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook. + */ +- if (inet_addr_type(iph->saddr) == RTN_LOCAL) { ++ if (addr_type == RTN_LOCAL) { + fl.nl_u.ip4_u.daddr = iph->daddr; + fl.nl_u.ip4_u.saddr = iph->saddr; + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); +@@ -156,7 +159,7 @@ static int nf_ip_reroute(struct sk_buff + if (!(iph->tos == rt_info->tos + && iph->daddr == rt_info->daddr + && iph->saddr == rt_info->saddr)) +- return ip_route_me_harder(pskb); ++ return ip_route_me_harder(pskb, RTN_UNSPEC); + } + return 0; + } +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_nat_standalone.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_nat_standalone.c +@@ -275,7 +275,8 @@ ip_nat_local_fn(unsigned int hooknum, + ct->tuplehash[!dir].tuple.src.u.all + #endif + ) +- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; ++ if (ip_route_me_harder(pskb, RTN_UNSPEC)) ++ ret = NF_DROP; + } + return ret; + } +--- linux-2.6.18.3.orig/net/ipv4/netfilter/iptable_mangle.c ++++ linux-2.6.18.3/net/ipv4/netfilter/iptable_mangle.c +@@ -157,7 +157,8 @@ ipt_local_hook(unsigned int hook, + || (*pskb)->nfmark != nfmark + #endif + || (*pskb)->nh.iph->tos != tos)) +- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; ++ if (ip_route_me_harder(pskb, RTN_UNSPEC)) ++ ret = NF_DROP; + + return ret; + } diff --git a/queue-2.6.18/netfilter-ip_tables-compat-error-way-cleanup.patch b/queue-2.6.18/netfilter-ip_tables-compat-error-way-cleanup.patch new file mode 100644 index 00000000000..b0209c3fa22 --- /dev/null +++ b/queue-2.6.18/netfilter-ip_tables-compat-error-way-cleanup.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:05 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053542.10231.61123.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:42 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: ip_tables: compat error way cleanup + +This patch adds forgotten compat_flush_offset() call to error way of +translate_compat_table(). May lead to table corruption on the next +compat_do_replace(). + +Signed-off-by: Vasily Averin +Acked-by: Dmitry Mishin +Acked-by: Kirill Korotaev +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit efb1447a67abac93048ad7af0c59cd9b5a9177a6 +tree 9d56a6e758a3ad0e617f2527ac4b4efdeba5b64a +parent 4410392a8258fd972fc08a336278b14c82b2774f +author Patrick McHardy Fri, 17 Nov 2006 06:22:39 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:22:39 +0100 + + net/ipv4/netfilter/ip_tables.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c +@@ -1775,6 +1775,7 @@ free_newinfo: + out: + return ret; + out_unlock: ++ compat_flush_offsets(); + xt_compat_unlock(AF_INET); + goto out; + } diff --git a/queue-2.6.18/netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch b/queue-2.6.18/netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch new file mode 100644 index 00000000000..d87976cb502 --- /dev/null +++ b/queue-2.6.18/netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch @@ -0,0 +1,159 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:10 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053544.10231.95904.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:44 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: ip_tables: fix module refcount leaks in compat error paths + +Based on patch by myself with additional fixes from Dmitry Mishin . + +Signed-off-by: Dmitry Mishin +Acked-by: Vasily Averin +Acked-by: Kirill Korotaev +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit 94a3d63f9ca6cb404f62ee4186d20fec3e8bdc97 +tree 86873a5eff586598eceabdbe4c042c55f62d4fbc +parent efb1447a67abac93048ad7af0c59cd9b5a9177a6 +author Patrick McHardy Fri, 17 Nov 2006 06:23:20 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:23:20 +0100 + + net/ipv4/netfilter/ip_tables.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c +@@ -1537,7 +1537,7 @@ check_compat_entry_size_and_hooks(struct + ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip, + e->comefrom, &off, &j); + if (ret != 0) +- goto out; ++ goto cleanup_matches; + + t = ipt_get_target(e); + target = try_then_request_module(xt_find_target(AF_INET, +@@ -1547,7 +1547,7 @@ check_compat_entry_size_and_hooks(struct + if (IS_ERR(target) || !target) { + duprintf("check_entry: `%s' not found\n", t->u.user.name); + ret = target ? PTR_ERR(target) : -ENOENT; +- goto out; ++ goto cleanup_matches; + } + t->u.kernel.target = target; + +@@ -1574,7 +1574,10 @@ check_compat_entry_size_and_hooks(struct + + (*i)++; + return 0; ++ + out: ++ module_put(t->u.kernel.target->me); ++cleanup_matches: + IPT_MATCH_ITERATE(e, cleanup_match, &j); + return ret; + } +@@ -1597,18 +1600,16 @@ static inline int compat_copy_match_from + ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm), + name, hookmask, ip->proto, + ip->invflags & IPT_INV_PROTO); +- if (ret) +- return ret; + +- if (m->u.kernel.match->checkentry ++ if (!ret && m->u.kernel.match->checkentry + && !m->u.kernel.match->checkentry(name, ip, match, dm->data, + dm->u.match_size - sizeof(*dm), + hookmask)) { + duprintf("ip_tables: check failed for `%s'.\n", + m->u.kernel.match->name); +- return -EINVAL; ++ ret = -EINVAL; + } +- return 0; ++ return ret; + } + + static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr, +@@ -1630,7 +1631,7 @@ static int compat_copy_entry_from_user(s + ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size, + name, &de->ip, de->comefrom); + if (ret) +- goto out; ++ goto err; + de->target_offset = e->target_offset - (origsize - *size); + t = ipt_get_target(e); + target = t->u.kernel.target; +@@ -1653,22 +1654,22 @@ static int compat_copy_entry_from_user(s + name, e->comefrom, e->ip.proto, + e->ip.invflags & IPT_INV_PROTO); + if (ret) +- goto out; ++ goto err; + + ret = -EINVAL; + if (t->u.kernel.target == &ipt_standard_target) { + if (!standard_check(t, *size)) +- goto out; ++ goto err; + } else if (t->u.kernel.target->checkentry + && !t->u.kernel.target->checkentry(name, de, target, + t->data, t->u.target_size - sizeof(*t), + de->comefrom)) { + duprintf("ip_tables: compat: check failed for `%s'.\n", + t->u.kernel.target->name); +- goto out; ++ goto err; + } + ret = 0; +-out: ++ err: + return ret; + } + +@@ -1682,7 +1683,7 @@ translate_compat_table(const char *name, + unsigned int *hook_entries, + unsigned int *underflows) + { +- unsigned int i; ++ unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + unsigned int size; +@@ -1700,21 +1701,21 @@ translate_compat_table(const char *name, + } + + duprintf("translate_compat_table: size %u\n", info->size); +- i = 0; ++ j = 0; + xt_compat_lock(AF_INET); + /* Walk through entries, checking offsets. */ + ret = IPT_ENTRY_ITERATE(entry0, total_size, + check_compat_entry_size_and_hooks, + info, &size, entry0, + entry0 + total_size, +- hook_entries, underflows, &i, name); ++ hook_entries, underflows, &j, name); + if (ret != 0) + goto out_unlock; + + ret = -EINVAL; +- if (i != number) { ++ if (j != number) { + duprintf("translate_compat_table: %u not %u entries\n", +- i, number); ++ j, number); + goto out_unlock; + } + +@@ -1773,6 +1774,7 @@ translate_compat_table(const char *name, + free_newinfo: + xt_free_table_info(newinfo); + out: ++ IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j); + return ret; + out_unlock: + compat_flush_offsets(); diff --git a/queue-2.6.18/netfilter-kconfig-fix-xt_physdev-dependencies.patch b/queue-2.6.18/netfilter-kconfig-fix-xt_physdev-dependencies.patch new file mode 100644 index 00000000000..463e65ae457 --- /dev/null +++ b/queue-2.6.18/netfilter-kconfig-fix-xt_physdev-dependencies.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:53 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053549.10231.57261.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:49 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Kconfig: fix xt_physdev dependencies + +xt_physdev depends on bridge netfilter, which is a boolean, but can still +be built modular because of special handling in the bridge makefile. Add +a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m. + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit ca6adddd237afa4910bab5e9e8ba0685f37c2bfe +tree 45c88fae3ec75a90ffac423906e662bdb36e8251 +parent cf08e74a590c945d3c0b95886ea3fad8ff73793d +author Patrick McHardy Fri, 17 Nov 2006 06:25:31 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:25:31 +0100 + + net/netfilter/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.18.3.orig/net/netfilter/Kconfig ++++ linux-2.6.18.3/net/netfilter/Kconfig +@@ -342,7 +342,7 @@ config NETFILTER_XT_MATCH_MULTIPORT + + config NETFILTER_XT_MATCH_PHYSDEV + tristate '"physdev" match support' +- depends on NETFILTER_XTABLES && BRIDGE_NETFILTER ++ depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER + help + Physdev packet matching matches against the physical bridge ports + the IP packet arrived on or will leave by. diff --git a/queue-2.6.18/netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch b/queue-2.6.18/netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch new file mode 100644 index 00000000000..495e70f4fca --- /dev/null +++ b/queue-2.6.18/netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch @@ -0,0 +1,233 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:15 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053545.10231.94652.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:45 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Missed and reordered checks in {arp, ip, ip6}_tables + +There is a number of issues in parsing user-provided table in +translate_table(). Malicious user with CAP_NET_ADMIN may crash system by +passing special-crafted table to the *_tables. + +The first issue is that mark_source_chains() function is called before entry +content checks. In case of standard target, mark_source_chains() function +uses t->verdict field in order to determine new position. But the check, that +this field leads no further, than the table end, is in check_entry(), which +is called later, than mark_source_chains(). + +The second issue, that there is no check that target_offset points inside +entry. If so, *_ITERATE_MATCH macro will follow further, than the entry +ends. As a result, we'll have oops or memory disclosure. + +And the third issue, that there is no check that the target is completely +inside entry. Results are the same, as in previous issue. + +Signed-off-by: Dmitry Mishin +Acked-by: Kirill Korotaev +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit 0ef4760e162ea44c847cca7393b36e5bcac5414e +tree 7036ce51d75aaf46d5c4abca281956c39caced10 +parent 94a3d63f9ca6cb404f62ee4186d20fec3e8bdc97 +author Patrick McHardy Fri, 17 Nov 2006 06:24:10 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:24:10 +0100 + + net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++--------- + net/ipv4/netfilter/ip_tables.c | 30 ++++++++++++++++++++++-------- + net/ipv6/netfilter/ip6_tables.c | 24 ++++++++++++++++-------- + 3 files changed, 54 insertions(+), 25 deletions(-) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/arp_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/arp_tables.c +@@ -471,7 +471,13 @@ static inline int check_entry(struct arp + return -EINVAL; + } + ++ if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) ++ return -EINVAL; ++ + t = arpt_get_target(e); ++ if (e->target_offset + t->u.target_size > e->next_offset) ++ return -EINVAL; ++ + target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name, + t->u.user.revision), + "arpt_%s", t->u.user.name); +@@ -629,20 +635,18 @@ static int translate_table(const char *n + } + } + +- if (!mark_source_chains(newinfo, valid_hooks, entry0)) { +- duprintf("Looping hook\n"); +- return -ELOOP; +- } +- + /* Finally, each sanity check must pass */ + i = 0; + ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size, + check_entry, name, size, &i); + +- if (ret != 0) { +- ARPT_ENTRY_ITERATE(entry0, newinfo->size, +- cleanup_entry, &i); +- return ret; ++ if (ret != 0) ++ goto cleanup; ++ ++ ret = -ELOOP; ++ if (!mark_source_chains(newinfo, valid_hooks, entry0)) { ++ duprintf("Looping hook\n"); ++ goto cleanup; + } + + /* And one copy for every other CPU */ +@@ -651,6 +655,9 @@ static int translate_table(const char *n + memcpy(newinfo->entries[i], entry0, newinfo->size); + } + ++ return 0; ++cleanup: ++ ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i); + return ret; + } + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c +@@ -552,12 +552,18 @@ check_entry(struct ipt_entry *e, const c + return -EINVAL; + } + ++ if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset) ++ return -EINVAL; ++ + j = 0; + ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j); + if (ret != 0) + goto cleanup_matches; + + t = ipt_get_target(e); ++ ret = -EINVAL; ++ if (e->target_offset + t->u.target_size > e->next_offset) ++ goto cleanup_matches; + target = try_then_request_module(xt_find_target(AF_INET, + t->u.user.name, + t->u.user.revision), +@@ -720,19 +726,17 @@ translate_table(const char *name, + } + } + +- if (!mark_source_chains(newinfo, valid_hooks, entry0)) +- return -ELOOP; +- + /* Finally, each sanity check must pass */ + i = 0; + ret = IPT_ENTRY_ITERATE(entry0, newinfo->size, + check_entry, name, size, &i); + +- if (ret != 0) { +- IPT_ENTRY_ITERATE(entry0, newinfo->size, +- cleanup_entry, &i); +- return ret; +- } ++ if (ret != 0) ++ goto cleanup; ++ ++ ret = -ELOOP; ++ if (!mark_source_chains(newinfo, valid_hooks, entry0)) ++ goto cleanup; + + /* And one copy for every other CPU */ + for_each_possible_cpu(i) { +@@ -740,6 +744,9 @@ translate_table(const char *name, + memcpy(newinfo->entries[i], entry0, newinfo->size); + } + ++ return 0; ++cleanup: ++ IPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i); + return ret; + } + +@@ -1531,6 +1538,10 @@ check_compat_entry_size_and_hooks(struct + return -EINVAL; + } + ++ if (e->target_offset + sizeof(struct compat_xt_entry_target) > ++ e->next_offset) ++ return -EINVAL; ++ + off = 0; + entry_offset = (void *)e - (void *)base; + j = 0; +@@ -1540,6 +1551,9 @@ check_compat_entry_size_and_hooks(struct + goto cleanup_matches; + + t = ipt_get_target(e); ++ ret = -EINVAL; ++ if (e->target_offset + t->u.target_size > e->next_offset) ++ goto cleanup_matches; + target = try_then_request_module(xt_find_target(AF_INET, + t->u.user.name, + t->u.user.revision), +--- linux-2.6.18.3.orig/net/ipv6/netfilter/ip6_tables.c ++++ linux-2.6.18.3/net/ipv6/netfilter/ip6_tables.c +@@ -592,12 +592,19 @@ check_entry(struct ip6t_entry *e, const + return -EINVAL; + } + ++ if (e->target_offset + sizeof(struct ip6t_entry_target) > ++ e->next_offset) ++ return -EINVAL; ++ + j = 0; + ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j); + if (ret != 0) + goto cleanup_matches; + + t = ip6t_get_target(e); ++ ret = -EINVAL; ++ if (e->target_offset + t->u.target_size > e->next_offset) ++ goto cleanup_matches; + target = try_then_request_module(xt_find_target(AF_INET6, + t->u.user.name, + t->u.user.revision), +@@ -760,19 +767,17 @@ translate_table(const char *name, + } + } + +- if (!mark_source_chains(newinfo, valid_hooks, entry0)) +- return -ELOOP; +- + /* Finally, each sanity check must pass */ + i = 0; + ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, + check_entry, name, size, &i); + +- if (ret != 0) { +- IP6T_ENTRY_ITERATE(entry0, newinfo->size, +- cleanup_entry, &i); +- return ret; +- } ++ if (ret != 0) ++ goto cleanup; ++ ++ ret = -ELOOP; ++ if (!mark_source_chains(newinfo, valid_hooks, entry0)) ++ goto cleanup; + + /* And one copy for every other CPU */ + for_each_possible_cpu(i) { +@@ -780,6 +785,9 @@ translate_table(const char *name, + memcpy(newinfo->entries[i], entry0, newinfo->size); + } + ++ return 0; ++cleanup: ++ IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i); + return ret; + } + diff --git a/queue-2.6.18/netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch b/queue-2.6.18/netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch new file mode 100644 index 00000000000..9a45ab249f5 --- /dev/null +++ b/queue-2.6.18/netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:40:01 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053541.10231.82376.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:41 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer + +The 32bit compatibility layer has no CAP_NET_ADMIN check in +compat_do_ipt_get_ctl, which for example allows to list the current +iptables rules even without having that capability (the non-compat +version requires it). Other capabilities might be required to exploit +the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user +can't exploit it, but a setup actually using the posix capability system +might very well hit such a constellation of granted capabilities. + +Signed-off-by: Björn Steinbrink +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit 4410392a8258fd972fc08a336278b14c82b2774f +tree 567261d003b2a8fb08c2d89d0d708dd06f357f49 +parent b4d854665eafe32b48e0eecadb91a73f6eea0055 +author Patrick McHardy Fri, 17 Nov 2006 06:22:07 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:22:07 +0100 + + net/ipv4/netfilter/ip_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_tables.c +@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i + { + int ret; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + switch (cmd) { + case IPT_SO_GET_INFO: + ret = get_info(user, len, 1); diff --git a/queue-2.6.18/netfilter-xt_connsecmark-fix-kconfig-dependencies.patch b/queue-2.6.18/netfilter-xt_connsecmark-fix-kconfig-dependencies.patch new file mode 100644 index 00000000000..47dfc7343a0 --- /dev/null +++ b/queue-2.6.18/netfilter-xt_connsecmark-fix-kconfig-dependencies.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Thu Nov 16 21:41:03 2006 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20061117053550.10231.53961.sendpatchset@localhost.localdomain> +Date: Fri, 17 Nov 2006 06:35:50 +0100 (MET) +Cc: Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: xt_CONNSECMARK: fix Kconfig dependencies + +CONNSECMARK needs conntrack, add missing dependency to fix linking error +with CONNSECMARK=y and CONNTRACK=m. + +Reported by Toralf Förster . + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- +commit 7f013c33ba2b02614c856d715b65d858bc1ec47f +tree 7ba757cfe1e953e47726bdcf956c16d07d94aa6e +parent ca6adddd237afa4910bab5e9e8ba0685f37c2bfe +author Patrick McHardy Fri, 17 Nov 2006 06:25:54 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 06:25:54 +0100 + + net/netfilter/Kconfig | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- linux-2.6.18.3.orig/net/netfilter/Kconfig ++++ linux-2.6.18.3/net/netfilter/Kconfig +@@ -197,7 +197,9 @@ config NETFILTER_XT_TARGET_SECMARK + + config NETFILTER_XT_TARGET_CONNSECMARK + tristate '"CONNSECMARK" target support' +- depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK) ++ depends on NETFILTER_XTABLES && \ ++ ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \ ++ (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK)) + help + The CONNSECMARK target copies security markings from packets + to connections, and restores security markings from connections diff --git a/queue-2.6.18/series b/queue-2.6.18/series new file mode 100644 index 00000000000..866ba5fd948 --- /dev/null +++ b/queue-2.6.18/series @@ -0,0 +1,8 @@ +netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch +netfilter-ip_tables-compat-error-way-cleanup.patch +netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch +netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch +netfilter-arp_tables-missing-unregistration-on-module-unload.patch +netfilter-kconfig-fix-xt_physdev-dependencies.patch +netfilter-honour-source-routing-for-lvs-nat.patch +netfilter-xt_connsecmark-fix-kconfig-dependencies.patch