From: Sasha Levin Date: Mon, 30 Jan 2023 14:20:42 +0000 (-0500) Subject: Drop netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch X-Git-Tag: v5.10.166~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65e4457b124efb65673b3e07d7630cffa4dde7fe;p=thirdparty%2Fkernel%2Fstable-queue.git Drop netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-4.14/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index b8e50c66fd9..00000000000 --- a/queue-4.14/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 56b843f0a75f0c950cc23e642e8789bec27b949c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index 1278b27c625a..cffd37f56c5c 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -184,8 +184,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-4.14/series b/queue-4.14/series index 15a5f43b10c..e1f57451244 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -30,7 +30,6 @@ edac-device-respect-any-driver-supplied-workqueue-polling-value.patch netlink-annotate-data-races-around-dst_portid-and-ds.patch netlink-annotate-data-races-around-sk_state.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch diff --git a/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index d0ecf3ef5c9..00000000000 --- a/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c2dfaed5a7e97a50275d89aaf4ee79c650abeeeb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index cadeb22a48f2..08ed6402ba1e 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -163,8 +163,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-4.19/series b/queue-4.19/series index dee5ba625af..40d866010c6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -55,7 +55,6 @@ netlink-annotate-data-races-around-dst_portid-and-ds.patch netlink-annotate-data-races-around-sk_state.patch ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch diff --git a/queue-5.10/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-5.10/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index a663e3b65b6..00000000000 --- a/queue-5.10/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 07139657761a88eee6f967790f87aef0324c9e1f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index 72d0aa603cd6..c0264bbc8466 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -155,8 +155,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-5.10/series b/queue-5.10/series index e7e257f1503..86b0794d356 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -123,7 +123,6 @@ netlink-annotate-data-races-around-sk_state.patch ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch diff --git a/queue-5.15/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-5.15/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index 1f888e1eb3c..00000000000 --- a/queue-5.15/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 95321a183d8e02fdb31af7bdbb6a006a9b9c98b0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index 3704d1c7d3c2..ee317f9a22e5 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -155,8 +155,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 5e643ab73bb..43728bf33e3 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -178,7 +178,6 @@ netlink-annotate-data-races-around-sk_state.patch ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch diff --git a/queue-5.4/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-5.4/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index c20e8aa21e2..00000000000 --- a/queue-5.4/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c2c3a7a150f040ed17c41b906c11d609ec5096ef Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index 72d0aa603cd6..c0264bbc8466 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -155,8 +155,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-5.4/series b/queue-5.4/series index bcc8dd14a43..9cf4571aa94 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -90,7 +90,6 @@ netlink-annotate-data-races-around-sk_state.patch ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch net-sched-sch_taprio-do-not-schedule-in-taprio_reset.patch sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch diff --git a/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch deleted file mode 100644 index 759328650bd..00000000000 --- a/queue-6.1/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 099acc3ff752a5871df012b0698db0d6bfc1c4c0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 Jan 2023 02:47:19 +0100 -Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk - -From: Sriram Yagnaraman - -[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] - -skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds -skb->len, so this offset < skb->len test is redundant. - -if sch->length == 0, this will end up in an infinite loop, add a check -for sch->length > 0 - -Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") -Suggested-by: Florian Westphal -Signed-off-by: Sriram Yagnaraman -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index 3704d1c7d3c2..ee317f9a22e5 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -155,8 +155,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) - - #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ - for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ -- (offset) < (skb)->len && \ -- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ -+ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ -+ (sch)->length; \ - (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) - - /* Some validity checks to make sure the chunks are fine */ --- -2.39.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 1716c9cf503..d48ac6169da 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -271,7 +271,6 @@ ipv4-prevent-potential-spectre-v1-gadget-in-fib_metr.patch net-dsa-microchip-fix-probe-of-i2c-connected-ksz8563.patch net-ethernet-adi-adin1110-fix-multicast-offloading.patch netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch -netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch netrom-fix-use-after-free-of-a-listening-socket.patch platform-x86-asus-wmi-fix-kbd_dock_devid-tablet-swit.patch platform-x86-apple-gmux-move-port-defines-to-apple-g.patch