linux-stable.git/net/bridge, branch linux-2.6.16.y Linux kernel stable tree ebtables: check struct type before computing gap 2007-01-09T02:23:34+00:00 Chuck Ebbert 76306.1226@compuserve.com 2007-01-08T06:11:50+00:00 028f0b0041f1bbd0a4f5cd1c4db452b276382115 Check struct type before dereferencing fields in ebt_entry. Failure to check can cause oops. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Check struct type before dereferencing fields in ebt_entry.
Failure to check can cause oops.

Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
bridge-netfilter: don't overwrite memory outside of skb 2006-12-18T19:51:43+00:00 Stephen Hemminger shemminger@osdl.org 2006-12-18T19:51:43+00:00 d0354e3ba19cdf9acc2ca89bbb59b1e6292a4f44 The bridge netfilter code needs to check for space at the front of the skb before overwriting; otherwise if skb from device doesn't have headroom, then it will cause random memory corruption. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
The bridge netfilter code needs to check for space at the
front of the skb before overwriting; otherwise if skb from
device doesn't have headroom, then it will cause random
memory corruption.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751) 2006-12-04T18:44:59+00:00 Chris Wright chrisw@sous-sol.org 2006-12-04T18:44:59+00:00 e0d34fea66c5dbe70116acac6f4d722564810dca Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Stephen Hemminger <shemminger@osdl.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Stephen Hemminger <shemminger@osdl.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[EBTABLES]: Prevent wraparounds in checks for entry components' sizes. 2006-12-04T12:13:23+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-04T12:13:23+00:00 dbb4a0ecfe7dc4c989985a23288c98b2e3c8ee0d Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[EBTABLES]: Deal with the worst-case behaviour in loop checks. 2006-12-04T12:12:43+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-04T12:12:43+00:00 e4a7da4a76137dab99b98ce126ec2837dd53f638 No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
No need to revisit a chain we'd already finished with during
the check for current hook.  It's either instant loop (which
we'd just detected) or a duplicate work.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[EBTABLES]: Verify that ebt_entries have zero ->distinguisher. 2006-12-04T12:12:06+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-04T12:12:06+00:00 f1f7d270d4a610222efe9920b8443d807355bfca We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
We need that for iterator to work; existing check had been too weak.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[EBTABLES]: Fix wraparounds in ebt_entries verification. 2006-12-04T12:11:24+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-04T12:11:24+00:00 d559dd79b58829f1ebb7996698e6354600e79b14 We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
We need to verify that
    a) we are not too close to the end of buffer to dereference
    b) next entry we'll be checking won't be _before_ our

While we are at it, don't subtract unrelated pointers...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
ulog: fix panic on SMP kernels 2006-08-26T15:35:49+00:00 Mark Huang mlhuang@cs.princeton.edu 2006-08-26T15:35:49+00:00 189abe08c84ab16197c29683d40df3c4917bd475 Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilter 2006-04-17T20:16:04+00:00 Patrick McHardy kaber@trash.net 2006-04-06T16:51:38+00:00 ea0fcdd684262eed42bb40cceff450ef46a97306 [NETFILTER]: Fix fragmentation issues with bridge netfilter The conntrack code doesn't do re-fragmentation of defragmented packets anymore but relies on fragmentation in the IP layer. Purely bridged packets don't pass through the IP layer, so the bridge netfilter code needs to take care of fragmentation itself. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
[NETFILTER]: Fix fragmentation issues with bridge netfilter

The conntrack code doesn't do re-fragmentation of defragmented packets
anymore but relies on fragmentation in the IP layer. Purely bridged
packets don't pass through the IP layer, so the bridge netfilter code
needs to take care of fragmentation itself.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOG 2006-03-12T02:51:25+00:00 Gregor Maier gregor@net.in.tum.de 2006-03-12T02:51:25+00:00 c12743764129e40dc8461afc1096cf175c7c25f2 Signed-off-by: Gregor Maier <gregor@net.in.tum.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Gregor Maier <gregor@net.in.tum.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>