Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains three Netfilter updates, they are: * Fix wrong usage of skb_header_pointer in the DCCP protocol helper that has been there for quite some time. It was resulting in copying the dccp header to a pointer allocated in the stack. Fortunately, this pointer provides room for the dccp header is 4 bytes long, so no crashes have been reported so far. From Daniel Borkmann. * Use format string to print in the invocation of nf_log_packet(), again in the DCCP helper. Also from Daniel Borkmann. * Revert "netfilter: avoid get_random_bytes call" as prandom32 does not guarantee enough entropy when being calling this at boot time, that may happen when reloading the rule. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2024-10-28 23:24:50 +00:00 · 2014-01-08 15:04:56 -05:00 · 2014-01-08 15:04:56 -05:00 · 54b553e2c1
commit 54b553e2c1
parent 80077935ca b22f5126a2
7 changed files with 18 additions and 10 deletions
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
 	const char *msg;
 	u_int8_t state;

-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
 	BUG_ON(dh == NULL);

 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
 out_invalid:
 	if (LOG_INVALID(net, IPPROTO_DCCP))
 		nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL,
-			      NULL, msg);
+			      NULL, "%s", msg);
 	return false;
 }

@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
 	u_int8_t type, old_state, new_state;
 	enum ct_dccp_roles role;

-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
 	BUG_ON(dh == NULL);
 	type = dh->dccph_type;

@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
 	unsigned int cscov;
 	const char *msg;

-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
 	if (dh == NULL) {
 		msg = "nf_ct_dccp: short packet ";
 		goto out_invalid;
@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,

 out_invalid:
 	if (LOG_INVALID(net, IPPROTO_DCCP))
-		nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg);
+		nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", msg);
 	return -NF_ACCEPT;
 }

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@ -28,6 +28,8 @@
 #include <linux/proc_fs.h>
 #include <linux/security.h>
 #include <linux/list.h>
+#include <linux/jhash.h>
+#include <linux/random.h>
 #include <linux/slab.h>
 #include <net/sock.h>
 #include <net/netfilter/nf_log.h>
@ -73,6 +75,7 @@ struct nfulnl_instance {
 };

 #define INSTANCE_BUCKETS	16
+static unsigned int hash_init;

 static int nfnl_log_net_id __read_mostly;

@ -1064,6 +1067,11 @@ static int __init nfnetlink_log_init(void)
 {
 	int status = -ENOMEM;

+	/* it's not really all that important to have a random value, so
+	 * we can do this from the init function, even if there hasn't
+	 * been that much entropy yet */
+	get_random_bytes(&hash_init, sizeof(hash_init));
+
 	netlink_register_notifier(&nfulnl_rtnl_notifier);
 	status = nfnetlink_subsys_register(&nfulnl_subsys);
 	if (status < 0) {
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@ -164,7 +164,7 @@ static int nft_hash_init(const struct nft_set *set,
 	unsigned int cnt, i;

 	if (unlikely(!nft_hash_rnd_initted)) {
-		nft_hash_rnd = prandom_u32();
+		get_random_bytes(&nft_hash_rnd, 4);
 		nft_hash_rnd_initted = true;
 	}

--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@ -100,7 +100,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
 	int ret;

 	if (unlikely(!rnd_inited)) {
-		jhash_rnd = prandom_u32();
+		get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
 		rnd_inited = true;
 	}

--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@ -229,7 +229,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
 		u_int32_t rand;

 		do {
-			rand = prandom_u32();
+			get_random_bytes(&rand, sizeof(rand));
 		} while (!rand);
 		cmpxchg(&connlimit_rnd, 0, rand);
 	}
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@ -177,7 +177,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
 	/* initialize hash with random val at the time we allocate
 	 * the first hashtable entry */
 	if (unlikely(!ht->rnd_initialized)) {
-		ht->rnd = prandom_u32();
+		get_random_bytes(&ht->rnd, sizeof(ht->rnd));
 		ht->rnd_initialized = true;
 	}

--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@ -334,7 +334,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
 	size_t sz;

 	if (unlikely(!hash_rnd_inited)) {
-		hash_rnd = prandom_u32();
+		get_random_bytes(&hash_rnd, sizeof(hash_rnd));
 		hash_rnd_inited = true;
 	}
 	if (info->check_set & ~XT_RECENT_VALID_FLAGS) {