From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 1 Jul 2017 14:12:54 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.60~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=66ab0c12924bf2cb6e365cf442f319f435ea2ea7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	netfilter-synproxy-fix-conntrackd-interaction.patch
	netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch
---

diff --git a/queue-4.9/netfilter-synproxy-fix-conntrackd-interaction.patch b/queue-4.9/netfilter-synproxy-fix-conntrackd-interaction.patch
new file mode 100644
index 00000000000..5d41b1e3969
--- /dev/null
+++ b/queue-4.9/netfilter-synproxy-fix-conntrackd-interaction.patch
@@ -0,0 +1,45 @@
+From 87e94dbc210a720a34be5c1174faee5c84be963e Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 11 May 2017 18:56:38 +0200
+Subject: netfilter: synproxy: fix conntrackd interaction
+
+From: Eric Leblond <eric@regit.org>
+
+commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
+
+This patch fixes the creation of connection tracking entry from
+netlink when synproxy is used. It was missing the addition of
+the synproxy extension.
+
+This was causing kernel crashes when a conntrack entry created by
+conntrackd was used after the switch of traffic from active node
+to the passive node.
+
+Signed-off-by: Eric Leblond <eric@regit.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -45,6 +45,8 @@
+ #include <net/netfilter/nf_conntrack_zones.h>
+ #include <net/netfilter/nf_conntrack_timestamp.h>
+ #include <net/netfilter/nf_conntrack_labels.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
++#include <net/netfilter/nf_conntrack_synproxy.h>
+ #ifdef CONFIG_NF_NAT_NEEDED
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_l4proto.h>
+@@ -1800,6 +1802,8 @@ ctnetlink_create_conntrack(struct net *n
+ 	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
+ 	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
+ 	nf_ct_labels_ext_add(ct);
++	nfct_seqadj_ext_add(ct);
++	nfct_synproxy_ext_add(ct);
+ 
+ 	/* we must add conntrack extensions before confirmation. */
+ 	ct->status |= IPS_CONFIRMED;
diff --git a/queue-4.9/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch b/queue-4.9/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch
new file mode 100644
index 00000000000..1ad34b0b01b
--- /dev/null
+++ b/queue-4.9/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch
@@ -0,0 +1,47 @@
+From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Apr 2017 10:55:11 -0700
+Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.
+
+Denys provided an awesome KASAN report pointing to an use
+after free in xt_TCPMSS
+
+I have provided three patches to fix this issue, either in xt_TCPMSS or
+in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
+impact.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_TCPMSS.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/xt_TCPMSS.c
++++ b/net/netfilter/xt_TCPMSS.c
+@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
+ 	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+ 	tcp_hdrlen = tcph->doff * 4;
+ 
+-	if (len < tcp_hdrlen)
++	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
+ 		return -1;
+ 
+ 	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
+@@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
+ 	if (len > tcp_hdrlen)
+ 		return 0;
+ 
++	/* tcph->doff has 4 bits, do not wrap it to 0 */
++	if (tcp_hdrlen >= 15 * 4)
++		return 0;
++
+ 	/*
+ 	 * MSS Option not found ?! add it..
+ 	 */
diff --git a/queue-4.9/series b/queue-4.9/series
index 36c697c78c0..79db812ae14 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -23,3 +23,5 @@ net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch
 sfc-provide-dummy-definitions-of-vswitch-functions.patch
 ipv6-do-not-leak-throw-route-references.patch
 rtnetlink-add-ifla_group-to-ifla_policy.patch
+netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch
+netfilter-synproxy-fix-conntrackd-interaction.patch