From 749cd2d3897369adf508dd748b602ca9f6847b02 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Mon, 21 Nov 2005 17:09:08 -0800 Subject: [PATCH] Add netfilter fixes from Harald --- ...etlink-check-if-protoinfo-is-present.patch | 35 ++++++++ ...oops-when-no-icpm-id-info-in-message.patch | 78 +++++++++++++++++ ...-ftp-irc-tftp-helpers-on-large-ports.patch | 78 +++++++++++++++++ ...nntrack-tcp-accept-syn+push-like-syn.patch | 38 +++++++++ ...ix-module-refcount-droppoing-too-far.patch | 55 ++++++++++++ ...ops-when-no-queue-handler-registered.patch | 31 +++++++ ...endianness-bug-in-gre-key-callid-nat.patch | 85 +++++++++++++++++++ ...lper-fix-pns-pac-expectation-call-id.patch | 83 ++++++++++++++++++ ...f-proto-when-ctnetlink-dumping-tuple.patch | 42 +++++++++ queue/series | 9 ++ 10 files changed, 534 insertions(+) create mode 100644 queue/ctnetlink-check-if-protoinfo-is-present.patch create mode 100644 queue/ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch create mode 100644 queue/ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch create mode 100644 queue/ip_conntrack-tcp-accept-syn+push-like-syn.patch create mode 100644 queue/nat-fix-module-refcount-droppoing-too-far.patch create mode 100644 queue/nf_queue-fix-oops-when-no-queue-handler-registered.patch create mode 100644 queue/pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch create mode 100644 queue/pptp-helper-fix-pns-pac-expectation-call-id.patch create mode 100644 queue/recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch diff --git a/queue/ctnetlink-check-if-protoinfo-is-present.patch b/queue/ctnetlink-check-if-protoinfo-is-present.patch new file mode 100644 index 00000000000..48efc77b18d --- /dev/null +++ b/queue/ctnetlink-check-if-protoinfo-is-present.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:33:16 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] ctnetlink: check if protoinfo is present + +This fixes an oops triggered from userspace. If we don't pass information +about the private protocol info, the reference to attr will be NULL. This is +likely to happen in update messages. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 5 +++++ + 1 files changed, 5 insertions(+) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +@@ -362,6 +362,11 @@ static int nfattr_to_tcp(struct nfattr * + struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; + struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; + ++ /* updates could not contain anything about the private ++ * protocol info, in that case skip the parsing */ ++ if (!attr) ++ return 0; ++ + if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0) + goto nfattr_failure; + diff --git a/queue/ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch b/queue/ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch new file mode 100644 index 00000000000..7aa6077a4cd --- /dev/null +++ b/queue/ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch @@ -0,0 +1,78 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:33:12 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] ctnetlink: Fix oops when no ICMP ID info in message + +From: Krzysztof Piotr Oledzki + +This patch fixes an userspace triggered oops. If there is no ICMP_ID +info the reference to attr will be NULL. + +Signed-off-by: Krzysztof Piotr Oledzki +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 13 +++++++------ + 1 files changed, 7 insertions(+), 6 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_icmp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb, + /* Not enough header? */ + inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in); + if (inside == NULL) +- return NF_ACCEPT; ++ return -NF_ACCEPT; + + /* Ignore ICMP's containing fragments (shouldn't happen) */ + if (inside->ip.frag_off & htons(IP_OFFSET)) { + DEBUGP("icmp_error_track: fragment of proto %u\n", + inside->ip.protocol); +- return NF_ACCEPT; ++ return -NF_ACCEPT; + } + + innerproto = ip_conntrack_proto_find_get(inside->ip.protocol); +@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb, + if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { + DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); + ip_conntrack_proto_put(innerproto); +- return NF_ACCEPT; ++ return -NF_ACCEPT; + } + + /* Ordinarily, we'd expect the inverted tupleproto, but it's +@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb, + if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { + DEBUGP("icmp_error_track: Can't invert tuple\n"); + ip_conntrack_proto_put(innerproto); +- return NF_ACCEPT; ++ return -NF_ACCEPT; + } + ip_conntrack_proto_put(innerproto); + +@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb, + + if (!h) { + DEBUGP("icmp_error_track: no match\n"); +- return NF_ACCEPT; ++ return -NF_ACCEPT; + } + /* Reverse direction from that found */ + if (DIRECTION(h) != IP_CT_DIR_REPLY) +@@ -296,7 +296,8 @@ static int icmp_nfattr_to_tuple(struct n + struct ip_conntrack_tuple *tuple) + { + if (!tb[CTA_PROTO_ICMP_TYPE-1] +- || !tb[CTA_PROTO_ICMP_CODE-1]) ++ || !tb[CTA_PROTO_ICMP_CODE-1] ++ || !tb[CTA_PROTO_ICMP_ID-1]) + return -1; + + tuple->dst.u.icmp.type = diff --git a/queue/ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch b/queue/ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch new file mode 100644 index 00000000000..4a1e0e540f9 --- /dev/null +++ b/queue/ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch @@ -0,0 +1,78 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:33:08 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] ip_conntrack: fix ftp/irc/tftp helpers on ports >= 32768 + +Since we've converted the ftp/irc/tftp helpers to use the new +module_parm_array() some time ago, we ware accidentially using signed data +types - thus preventing those modules from being used on ports >= 32768. + +This patch fixes it by using 'ushort' module parameters. + +Thanks to Jan Nijs for reporting this bug. + +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_conntrack_ftp.c | 4 ++-- + net/ipv4/netfilter/ip_conntrack_irc.c | 4 ++-- + net/ipv4/netfilter/ip_conntrack_tftp.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_ftp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_ftp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_ftp.c +@@ -29,9 +29,9 @@ static char *ftp_buffer; + static DEFINE_SPINLOCK(ip_ftp_lock); + + #define MAX_PORTS 8 +-static short ports[MAX_PORTS]; ++static unsigned short ports[MAX_PORTS]; + static int ports_c; +-module_param_array(ports, short, &ports_c, 0400); ++module_param_array(ports, ushort, &ports_c, 0400); + + static int loose; + module_param(loose, int, 0600); +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_irc.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_irc.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_irc.c +@@ -34,7 +34,7 @@ + #include + + #define MAX_PORTS 8 +-static short ports[MAX_PORTS]; ++static unsigned short ports[MAX_PORTS]; + static int ports_c; + static int max_dcc_channels = 8; + static unsigned int dcc_timeout = 300; +@@ -52,7 +52,7 @@ EXPORT_SYMBOL_GPL(ip_nat_irc_hook); + MODULE_AUTHOR("Harald Welte "); + MODULE_DESCRIPTION("IRC (DCC) connection tracking helper"); + MODULE_LICENSE("GPL"); +-module_param_array(ports, short, &ports_c, 0400); ++module_param_array(ports, ushort, &ports_c, 0400); + MODULE_PARM_DESC(ports, "port numbers of IRC servers"); + module_param(max_dcc_channels, int, 0400); + MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per IRC session"); +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_tftp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_tftp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_tftp.c +@@ -26,9 +26,9 @@ MODULE_DESCRIPTION("tftp connection trac + MODULE_LICENSE("GPL"); + + #define MAX_PORTS 8 +-static short ports[MAX_PORTS]; ++static unsigned short ports[MAX_PORTS]; + static int ports_c; +-module_param_array(ports, short, &ports_c, 0400); ++module_param_array(ports, ushort, &ports_c, 0400); + MODULE_PARM_DESC(ports, "port numbers of tftp servers"); + + #if 0 diff --git a/queue/ip_conntrack-tcp-accept-syn+push-like-syn.patch b/queue/ip_conntrack-tcp-accept-syn+push-like-syn.patch new file mode 100644 index 00000000000..fbd3cffa67e --- /dev/null +++ b/queue/ip_conntrack-tcp-accept-syn+push-like-syn.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:32:49 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] ip_conntrack TCP: Accept SYN+PUSH like SYN + +From: Vlad Drukker + +Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware +3.0.0.4) initiates TCP with SYN and PUSH flags set. + +The Linux TCP/IP stack deals fine with that, but the connection tracking +code doesn't. + +This patch alters TCP connection tracking to accept SYN+PUSH as a valid +flag combination. + +Signed-off-by: Vlad Drukker +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 + + 1 files changed, 1 insertion(+) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +@@ -818,6 +818,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN + { + [TH_SYN] = 1, + [TH_SYN|TH_ACK] = 1, ++ [TH_SYN|TH_PUSH] = 1, + [TH_SYN|TH_ACK|TH_PUSH] = 1, + [TH_RST] = 1, + [TH_RST|TH_ACK] = 1, diff --git a/queue/nat-fix-module-refcount-droppoing-too-far.patch b/queue/nat-fix-module-refcount-droppoing-too-far.patch new file mode 100644 index 00000000000..83db00ded59 --- /dev/null +++ b/queue/nat-fix-module-refcount-droppoing-too-far.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:33:04 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] NAT: Fix module refcount dropping too far + +From: Rusty Rusty + +The unknown protocol is used as a fallback when a protocol isn't known. +Hence we cannot handle it failing, so don't set ".me". It's OK, since we +only grab a reference from within the same module (iptable_nat.ko), so we +never take the module refcount from 0 to 1. + +Also, remove the "protocol is NULL" test: it's never NULL. + +Signed-off-by: Rusty Rusty +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_nat_core.c | 6 ++---- + net/ipv4/netfilter/ip_nat_proto_unknown.c | 2 +- + 2 files changed, 3 insertions(+), 5 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_core.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_core.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_core.c +@@ -66,10 +66,8 @@ ip_nat_proto_find_get(u_int8_t protonum) + * removed until we've grabbed the reference */ + preempt_disable(); + p = __ip_nat_proto_find(protonum); +- if (p) { +- if (!try_module_get(p->me)) +- p = &ip_nat_unknown_protocol; +- } ++ if (!try_module_get(p->me)) ++ p = &ip_nat_unknown_protocol; + preempt_enable(); + + return p; +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_unknown.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_proto_unknown.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_unknown.c +@@ -62,7 +62,7 @@ unknown_print_range(char *buffer, const + + struct ip_nat_protocol ip_nat_unknown_protocol = { + .name = "unknown", +- .me = THIS_MODULE, ++ /* .me isn't set: getting a ref to this cannot fail. */ + .manip_pkt = unknown_manip_pkt, + .in_range = unknown_in_range, + .unique_tuple = unknown_unique_tuple, diff --git a/queue/nf_queue-fix-oops-when-no-queue-handler-registered.patch b/queue/nf_queue-fix-oops-when-no-queue-handler-registered.patch new file mode 100644 index 00000000000..27b2eb8b5f9 --- /dev/null +++ b/queue/nf_queue-fix-oops-when-no-queue-handler-registered.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:32:49 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] nf_queue: Fix Ooops when no queue handler registered + +With the new nf_queue generalization in 2.6.14, we've introduced a bug +that causes an oops as soon as a packet is queued but no queue handler +registered. This patch fixes it. + +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/netfilter/nf_queue.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.14.y/net/netfilter/nf_queue.c +=================================================================== +--- linux-2.6.14.y.orig/net/netfilter/nf_queue.c ++++ linux-2.6.14.y/net/netfilter/nf_queue.c +@@ -117,7 +117,7 @@ int nf_queue(struct sk_buff **skb, + + /* QUEUE == DROP if noone is waiting, to be safe. */ + read_lock(&queue_handler_lock); +- if (!queue_handler[pf]->outfn) { ++ if (!queue_handler[pf] || !queue_handler[pf]->outfn) { + read_unlock(&queue_handler_lock); + kfree_skb(*skb); + return 1; diff --git a/queue/pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch b/queue/pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch new file mode 100644 index 00000000000..9db470dbfdf --- /dev/null +++ b/queue/pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch @@ -0,0 +1,85 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:32:56 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] PPTP helper: Fix endianness bug in GRE key / CallID NAT +Return-Path: stable-bounces@linux.kernel.org +Received: from smtp.osdl.org (smtp.osdl.org [65.172.181.4]) + by shell0.pdx.osdl.net (8.13.1/8.11.6) with ESMTP id jAFCWur6030796; + Tue, 15 Nov 2005 04:32:56 -0800 +Received: from hera.kernel.org (hera.kernel.org [140.211.167.34]) + by smtp.osdl.org (8.12.8/8.12.8) with ESMTP id jAFCWtnO007694 + (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); + Tue, 15 Nov 2005 04:32:55 -0800 +Received: from hera.kernel.org (localhost [127.0.0.1]) + by hera.kernel.org (8.13.1/8.13.1) with ESMTP id jAFCWkDU006315; + Tue, 15 Nov 2005 04:32:46 -0800 +Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120]) + by hera.kernel.org (8.13.1/8.13.1) with ESMTP id jAFCWefT006262 + for ; Tue, 15 Nov 2005 04:32:42 -0800 +Received: from berligate.hmw-consulting.de ([83.236.178.202] + helo=sunbeam.hmw-consulting.de) + by ganesha.gnumonks.org with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) + (Exim 4.50) id 1EbzzJ-0001uc-Og; Tue, 15 Nov 2005 13:32:39 +0100 +Received: from hanuman.de.gnumonks.org ([192.168.100.10] ident=Debian-exim) + by sunbeam.hmw-consulting.de with esmtp (Exim 4.54) + id 1EbzzJ-0001T0-1y; Tue, 15 Nov 2005 13:32:37 +0100 +Received: from laforge by hanuman.de.gnumonks.org with local (Exim 4.54) + id 1EbzzI-0006B3-OL; Tue, 15 Nov 2005 13:32:36 +0100 +Message-ID: <20051115133236.610397000@hanuman.de.gnumonks.org> +User-Agent: davem-sendpatch.sh v0.2 +X-Spam-Score: 0.0 (/) +X-Virus-Scanned: ClamAV version 0.85, clamav-milter version 0.85 on localhost +X-Virus-Scanned: ClamAV version 0.85, clamav-milter version 0.85 on localhost +X-Virus-Status: Clean +X-BeenThere: stable@linux.kernel.org +X-Mailman-Version: 2.1.5 +Precedence: list +List-Id: For maintainers of the stable Linux series +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Sender: stable-bounces@linux.kernel.org +Errors-To: stable-bounces@linux.kernel.org +Received-SPF: none (domain of stable-bounces@linux.kernel.org does not designate permitted sender hosts) +X-Spam-Status: No, hits=0 required=5 tests= +X-Spam-Checker-Version: SpamAssassin 2.63-osdl_revision__1.55__ +X-MIMEDefang-Filter: osdl$Revision: 1.127 $ +X-Scanned-By: MIMEDefang 2.36 +Status: RO +Content-Length: 1847 +Lines: 46 + +This endianness bug slipped through while changing the 'gre.key' field in +the conntrack tuple from 32bit to 16bit. + +None of my tests caught the problem, since the linux pptp client always has +'0' as call id / gre key. Only windows clients actually trigger the bug. + +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_nat_proto_gre.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_gre.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_proto_gre.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_gre.c +@@ -139,8 +139,8 @@ gre_manip_pkt(struct sk_buff **pskb, + break; + case GRE_VERSION_PPTP: + DEBUGP("call_id -> 0x%04x\n", +- ntohl(tuple->dst.u.gre.key)); +- pgreh->call_id = htons(ntohl(tuple->dst.u.gre.key)); ++ ntohs(tuple->dst.u.gre.key)); ++ pgreh->call_id = tuple->dst.u.gre.key; + break; + default: + DEBUGP("can't nat unknown GRE version\n"); diff --git a/queue/pptp-helper-fix-pns-pac-expectation-call-id.patch b/queue/pptp-helper-fix-pns-pac-expectation-call-id.patch new file mode 100644 index 00000000000..0e0a3f87644 --- /dev/null +++ b/queue/pptp-helper-fix-pns-pac-expectation-call-id.patch @@ -0,0 +1,83 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:33:00 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] PPTP helper: fix PNS-PAC expectation call id + +From: Philip Craig + +The reply tuple of the PNS->PAC expectation was using the wrong call id. + +So we had the following situation: +- PNS behind NAT firewall +- PNS call id requires NATing +- PNS->PAC gre packet arrives first + +then the PNS->PAC expectation is matched, and the other expectation +is deleted, but the PAC->PNS gre packets do not match the gre conntrack +because the call id is wrong. + +We also cannot use ip_nat_follow_master(). + +Signed-off-by: Philip Craig +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_nat_helper_pptp.c | 28 ++++++++++++++++++++++++++-- + 1 files changed, 26 insertions(+), 2 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_helper_pptp.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_helper_pptp.c +@@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_ + struct ip_conntrack_tuple t; + struct ip_ct_pptp_master *ct_pptp_info; + struct ip_nat_pptp *nat_pptp_info; ++ struct ip_nat_range range; + + ct_pptp_info = &master->help.ct_pptp_info; + nat_pptp_info = &master->nat.help.nat_pptp_info; +@@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_ + DEBUGP("not found!\n"); + } + +- ip_nat_follow_master(ct, exp); ++ /* This must be a fresh one. */ ++ BUG_ON(ct->status & IPS_NAT_DONE_MASK); ++ ++ /* Change src to where master sends to */ ++ range.flags = IP_NAT_RANGE_MAP_IPS; ++ range.min_ip = range.max_ip ++ = ct->master->tuplehash[!exp->dir].tuple.dst.ip; ++ if (exp->dir == IP_CT_DIR_ORIGINAL) { ++ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; ++ range.min = range.max = exp->saved_proto; ++ } ++ /* hook doesn't matter, but it has to do source manip */ ++ ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING); ++ ++ /* For DST manip, map port here to where it's expected. */ ++ range.flags = IP_NAT_RANGE_MAP_IPS; ++ range.min_ip = range.max_ip ++ = ct->master->tuplehash[!exp->dir].tuple.src.ip; ++ if (exp->dir == IP_CT_DIR_REPLY) { ++ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; ++ range.min = range.max = exp->saved_proto; ++ } ++ /* hook doesn't matter, but it has to do destination manip */ ++ ip_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING); + } + + /* outbound packets == from PNS to PAC */ +@@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect + + /* alter expectation for PNS->PAC direction */ + invert_tuplepr(&inv_t, &expect_orig->tuple); +- expect_orig->saved_proto.gre.key = htons(nat_pptp_info->pac_call_id); ++ expect_orig->saved_proto.gre.key = htons(ct_pptp_info->pns_call_id); + expect_orig->tuple.src.u.gre.key = htons(nat_pptp_info->pns_call_id); + expect_orig->tuple.dst.u.gre.key = htons(ct_pptp_info->pac_call_id); + inv_t.src.ip = reply_t->src.ip; diff --git a/queue/recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch b/queue/recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch new file mode 100644 index 00000000000..86689245294 --- /dev/null +++ b/queue/recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Tue Nov 15 04:32:52 2005 +Date: Tue, 15 Nov 2005 13:32:36 +0100 +From: Harald Welte +To: Stable Kernel +Cc: +Subject: [PATCH] [NETFILTER] refcount leak of proto when ctnetlink dumping tuple + +From: Yasuyuki Kozakai + +Signed-off-by: Yasuyuki Kozakai +Signed-off-by: Harald Welte +Signed-off-by: Chris Wright +--- + + net/ipv4/netfilter/ip_conntrack_netlink.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_netlink.c +=================================================================== +--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_netlink.c ++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_netlink.c +@@ -58,14 +58,17 @@ ctnetlink_dump_tuples_proto(struct sk_bu + const struct ip_conntrack_tuple *tuple) + { + struct ip_conntrack_protocol *proto; ++ int ret = 0; + + NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum); + + proto = ip_conntrack_proto_find_get(tuple->dst.protonum); +- if (proto && proto->tuple_to_nfattr) +- return proto->tuple_to_nfattr(skb, tuple); ++ if (likely(proto && proto->tuple_to_nfattr)) { ++ ret = proto->tuple_to_nfattr(skb, tuple); ++ ip_conntrack_proto_put(proto); ++ } + +- return 0; ++ return ret; + + nfattr_failure: + return -1; diff --git a/queue/series b/queue/series index 66689990d71..a4b59af6904 100644 --- a/queue/series +++ b/queue/series @@ -4,3 +4,12 @@ fix-soft-lockup-with-ALSA-rtc-timer.patch packet-writing-oops-fix.patch fix-memory-leak-with-file-leases.patch generic-hdlc-wan-drivers-disable-netif_carrier_off.patch +pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch +nat-fix-module-refcount-droppoing-too-far.patch +nf_queue-fix-oops-when-no-queue-handler-registered.patch +recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch +ctnetlink-check-if-protoinfo-is-present.patch +pptp-helper-fix-pns-pac-expectation-call-id.patch +ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch +ip_conntrack-tcp-accept-syn+push-like-syn.patch +ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch -- 2.47.3