+++ /dev/null
-From e30f7714a276eaf155fe312add3e12f7fc38ef61 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 27 Jun 2023 14:38:13 +0200
-Subject: net/sched: act_ipt: zero skb->cb before calling target
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit 93d75d475c5dc3404292976147d063ee4d808592 ]
-
-xtables relies on skb being owned by ip stack, i.e. with ipv4
-check in place skb->cb is supposed to be IPCB.
-
-I don't see an immediate problem (REJECT target cannot be used anymore
-now that PRE/POSTROUTING hook validation has been fixed), but better be
-safe than sorry.
-
-A much better patch would be to either mark act_ipt as
-"depends on BROKEN" or remove it altogether. I plan to do this
-for -next in the near future.
-
-This tc extension is broken in the sense that tc lacks an
-equivalent of NF_STOLEN verdict.
-
-With NF_STOLEN, target function takes complete ownership of skb, caller
-cannot dereference it anymore.
-
-ACT_STOLEN cannot be used for this: it has a different meaning, caller
-is allowed to dereference the skb.
-
-At this time NF_STOLEN won't be returned by any targets as far as I can
-see, but this may change in the future.
-
-It might be possible to work around this via list of allowed
-target extensions known to only return DROP or ACCEPT verdicts, but this
-is error prone/fragile.
-
-Existing selftest only validates xt_LOG and act_ipt is restricted
-to ipv4 so I don't think this action is used widely.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sched/act_ipt.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
-index a6b522b512dc3..598d6e299152a 100644
---- a/net/sched/act_ipt.c
-+++ b/net/sched/act_ipt.c
-@@ -21,6 +21,7 @@
- #include <linux/tc_act/tc_ipt.h>
- #include <net/tc_act/tc_ipt.h>
- #include <net/tc_wrapper.h>
-+#include <net/ip.h>
-
- #include <linux/netfilter_ipv4/ip_tables.h>
-
-@@ -254,6 +255,7 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb,
- const struct tc_action *a,
- struct tcf_result *res)
- {
-+ char saved_cb[sizeof_field(struct sk_buff, cb)];
- int ret = 0, result = 0;
- struct tcf_ipt *ipt = to_ipt(a);
- struct xt_action_param par;
-@@ -280,6 +282,8 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb,
- state.out = skb->dev;
- }
-
-+ memcpy(saved_cb, skb->cb, sizeof(saved_cb));
-+
- spin_lock(&ipt->tcf_lock);
-
- tcf_lastuse_update(&ipt->tcf_tm);
-@@ -292,6 +296,9 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb,
- par.state = &state;
- par.target = ipt->tcfi_t->u.kernel.target;
- par.targinfo = ipt->tcfi_t->data;
-+
-+ memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
-+
- ret = par.target->target(skb, &par);
-
- switch (ret) {
-@@ -312,6 +319,9 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb,
- break;
- }
- spin_unlock(&ipt->tcf_lock);
-+
-+ memcpy(skb->cb, saved_cb, sizeof(skb->cb));
-+
- return result;
-
- }
---
-2.39.2
-
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/sched/act_pedit.c | 1 +
+ net/sched/act_pedit.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
-index 613a1d777d5a6..c2aed8b056a1d 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
-@@ -29,6 +29,7 @@ static struct tc_action_ops act_pedit_ops;
+@@ -28,6 +28,7 @@ static struct tc_action_ops act_pedit_op
static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = {
[TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) },
[TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED },
};
---
-2.39.2
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
