From 24a1dec55073000264f2da6278baef759929a14f Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Sun, 28 Jan 2007 15:54:42 -0800 Subject: [PATCH 1/8] [MAINTAINERS]: netfilter@ is subscribers-only netfilter mailing list is subscribers-only. Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 1446cc41c12f..a275f72ed5f7 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2288,7 +2288,7 @@ P: Jozsef Kadlecsik P: Patrick McHardy M: kaber@trash.net L: netfilter-devel@lists.netfilter.org -L: netfilter@lists.netfilter.org +L: netfilter@lists.netfilter.org (subscribers-only) L: coreteam@netfilter.org W: http://www.netfilter.org/ W: http://www.iptables.org/ From fb74a8416022c033e1a950689c264c453f8f98d8 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 30 Jan 2007 14:24:29 -0800 Subject: [PATCH 2/8] [NETFILTER]: xt_connbytes: fix division by zero When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Additionally we're probably going to go back to 64 bit counters in 2.6.21. Based on patch from Jonas Berlin , with suggestions from KOVACS Krisztian . Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/xt_connbytes.c | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index d93cb096a675..5e32dfa2668b 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -52,6 +52,8 @@ match(const struct sk_buff *skb, { const struct xt_connbytes_info *sinfo = matchinfo; u_int64_t what = 0; /* initialize to make gcc happy */ + u_int64_t bytes = 0; + u_int64_t pkts = 0; const struct ip_conntrack_counter *counters; if (!(counters = nf_ct_get_counters(skb))) @@ -89,29 +91,22 @@ match(const struct sk_buff *skb, case XT_CONNBYTES_AVGPKT: switch (sinfo->direction) { case XT_CONNBYTES_DIR_ORIGINAL: - what = div64_64(counters[IP_CT_DIR_ORIGINAL].bytes, - counters[IP_CT_DIR_ORIGINAL].packets); + bytes = counters[IP_CT_DIR_ORIGINAL].bytes; + pkts = counters[IP_CT_DIR_ORIGINAL].packets; break; case XT_CONNBYTES_DIR_REPLY: - what = div64_64(counters[IP_CT_DIR_REPLY].bytes, - counters[IP_CT_DIR_REPLY].packets); + bytes = counters[IP_CT_DIR_REPLY].bytes; + pkts = counters[IP_CT_DIR_REPLY].packets; break; case XT_CONNBYTES_DIR_BOTH: - { - u_int64_t bytes; - u_int64_t pkts; - bytes = counters[IP_CT_DIR_ORIGINAL].bytes + - counters[IP_CT_DIR_REPLY].bytes; - pkts = counters[IP_CT_DIR_ORIGINAL].packets+ - counters[IP_CT_DIR_REPLY].packets; - - /* FIXME_THEORETICAL: what to do if sum - * overflows ? */ - - what = div64_64(bytes, pkts); - } + bytes = counters[IP_CT_DIR_ORIGINAL].bytes + + counters[IP_CT_DIR_REPLY].bytes; + pkts = counters[IP_CT_DIR_ORIGINAL].packets + + counters[IP_CT_DIR_REPLY].packets; break; } + if (pkts != 0) + what = div64_64(bytes, pkts); break; } From 7da5bfbb12e327b3a347ee3e076957cd6564eb56 Mon Sep 17 00:00:00 2001 From: Lars Immisch Date: Tue, 30 Jan 2007 14:24:57 -0800 Subject: [PATCH 3/8] [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers When trying to skip over the username in the Contact header, stop at the end of the line if no @ is found to avoid mangling following headers. We don't need to worry about continuation lines because we search inside a SIP URI. Fixes Netfilter Bugzilla #532. Signed-off-by: Lars Immisch Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/ip_conntrack_sip.c | 8 +++++++- net/netfilter/nf_conntrack_sip.c | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c index 3a26d63eed88..571d27e20910 100644 --- a/net/ipv4/netfilter/ip_conntrack_sip.c +++ b/net/ipv4/netfilter/ip_conntrack_sip.c @@ -283,8 +283,14 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) { int s = *shift; - for (; dptr <= limit && *dptr != '@'; dptr++) + /* Search for @, but stop at the end of the line. + * We are inside a sip: URI, so we don't need to worry about + * continuation lines. */ + while (dptr <= limit && + *dptr != '@' && *dptr != '\r' && *dptr != '\n') { (*shift)++; + dptr++; + } if (*dptr == '@') { dptr++; diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index eb2a2411f97b..c93fb37a54fc 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -303,8 +303,14 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, { int s = *shift; - for (; dptr <= limit && *dptr != '@'; dptr++) + /* Search for @, but stop at the end of the line. + * We are inside a sip: URI, so we don't need to worry about + * continuation lines. */ + while (dptr <= limit && + *dptr != '@' && *dptr != '\r' && *dptr != '\n') { (*shift)++; + dptr++; + } if (*dptr == '@') { dptr++; From adcb4711101dfef89d473f64a913089d303962ae Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 30 Jan 2007 14:25:24 -0800 Subject: [PATCH 4/8] [NETFILTER]: SIP conntrack: fix out of bounds memory access When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/ip_conntrack_sip.c | 2 +- net/netfilter/nf_conntrack_sip.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c index 571d27e20910..11c588a10e6b 100644 --- a/net/ipv4/netfilter/ip_conntrack_sip.c +++ b/net/ipv4/netfilter/ip_conntrack_sip.c @@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) dptr++; } - if (*dptr == '@') { + if (dptr <= limit && *dptr == '@') { dptr++; (*shift)++; } else diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index c93fb37a54fc..9dec11534678 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, dptr++; } - if (*dptr == '@') { + if (dptr <= limit && *dptr == '@') { dptr++; (*shift)++; } else From fa03ef38e1516c1f35f6a189100186dded0f8f8c Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 30 Jan 2007 14:30:10 -0800 Subject: [PATCH 5/8] [IPV6]: Fix up some CONFIG typos Signed-off-by: Neil Horman Signed-off-by: David S. Miller --- net/ipv6/addrconf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 2a7e4618f526..e3854696988d 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3393,7 +3393,7 @@ static void inline ipv6_store_devconf(struct ipv6_devconf *cnf, #ifdef CONFIG_IPV6_ROUTER_PREF array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref; array[DEVCONF_RTR_PROBE_INTERVAL] = cnf->rtr_probe_interval; -#ifdef CONFIV_IPV6_ROUTE_INFO +#ifdef CONFIG_IPV6_ROUTE_INFO array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen; #endif #endif @@ -3898,7 +3898,7 @@ static struct addrconf_sysctl_table .proc_handler = &proc_dointvec_jiffies, .strategy = &sysctl_jiffies, }, -#ifdef CONFIV_IPV6_ROUTE_INFO +#ifdef CONFIG_IPV6_ROUTE_INFO { .ctl_name = NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN, .procname = "accept_ra_rt_info_max_plen", From 29556526b970c2e7d4ca808b6082c33981adfdff Mon Sep 17 00:00:00 2001 From: Li Yewang Date: Tue, 30 Jan 2007 14:33:20 -0800 Subject: [PATCH 6/8] [IPV6]: fix BUG of ndisc_send_redirect() When I tested IPv6 redirect function about kernel 2.6.19.1, and found that the kernel can send redirect packets whose target address is global address, and the target is not the actual endpoint of communication. But the criteria conform to RFC2461, the target address defines as following: Target Address An IP address that is a better first hop to use for he ICMP Destination Address. When the target is the actual endpoint of communication, i.e., the destination is a neighbor, the Target Address field MUST contain the same value as the ICMP Destination Address field. Otherwise the target is a better first-hop router and the Target Address MUST be the router's link-local address so that hosts can uniquely identify routers. According to this definition, when a router redirect to a host, the target address either the better first-hop router's link-local address or the same as the ICMP destination address field. But the function of ndisc_send_redirect() in net/ipv6/ndisc.c, does not check the target address correctly. There is another definition about receive Redirect message in RFC2461: 8.1. Validation of Redirect Messages A host MUST silently discard any received Redirect message that does not satisfy all of the following validity checks: ...... - The ICMP Target Address is either a link-local address (when redirected to a router) or the same as the ICMP Destination Address (when redirected to the on-link destination). ...... And the receive redirect function of ndisc_redirect_rcv() implemented this definition, checks the target address correctly. if (ipv6_addr_equal(dest, target)) { on_link = 1; } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ND_PRINTK2(KERN_WARNING "ICMPv6 Redirect: target address is not link-local.\n"); return; } So, I think the send redirect function must check the target address also. Signed-off-by: Li Yewang Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/ndisc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 6a9f616de37d..39bb658f3c44 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1413,6 +1413,13 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh, return; } + if (!ipv6_addr_equal(&skb->nh.ipv6h->daddr, target) && + !(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { + ND_PRINTK2(KERN_WARNING + "ICMPv6 Redirect: target address is not link-local.\n"); + return; + } + ndisc_flow_init(&fl, NDISC_REDIRECT, &saddr_buf, &skb->nh.ipv6h->saddr, dev->ifindex); From e533ca16f31f9e5abfaf5d8c7dbe7095f01474b6 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Tue, 30 Jan 2007 14:36:14 -0800 Subject: [PATCH 7/8] [SCTP]: Force update of the rto when processing HB-ACK When processing a HEARTBEAT-ACK it's possible that the transport rto timers will not be updated because a prior T3-RTX processing would have cleared the rto_pending flag on the transport. However, if we received a valid HEARTBEAT-ACK, we want to force update the rto variables, so re-set the rto_pending flag before calling sctp_transport_update_rto(). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- net/sctp/sm_sideeffect.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c index 8bd30976cdee..6db77d1329f7 100644 --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -621,7 +621,13 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds, /* The receiver of the HEARTBEAT ACK should also perform an * RTT measurement for that destination transport address * using the time value carried in the HEARTBEAT ACK chunk. + * If the transport's rto_pending variable has been cleared, + * it was most likely due to a retransmit. However, we want + * to re-enable it to properly update the rto. */ + if (t->rto_pending == 0) + t->rto_pending = 1; + hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; sctp_transport_update_rto(t, (jiffies - hbinfo->sent_at)); From 2e5530236645a042e1481aa19879b819c3e8f5c9 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 30 Jan 2007 21:36:09 -0800 Subject: [PATCH 8/8] [NETFILTER]: xt_hashlimit: fix ip6tables dependency IP6_NF_IPTABLES=m, CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y results in a linker error since ipv6_find_hdr is defined in ip6_tables.c. Fix similar to Adrian Bunk's H.323 conntrack patch: selecting ip6_tables to be build as module requires hashlimit to be built as module as well. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index cd10e44db015..2a2bcb303bfa 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -628,7 +628,7 @@ config NETFILTER_XT_MATCH_TCPMSS config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' - depends on NETFILTER_XTABLES + depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) help This option adds a `hashlimit' match.