leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7b4fdf77a4
linux/net/ipv4/netfilter
History
Florian Westphal 7b4fdf77a4 netfilter: don't track fragmented packets 
Andrey reports syzkaller splat caused by

NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));

in ipv4 nat.  But this assertion (and the comment) are wrong, this function
does see fragments when IP_NODEFRAG setsockopt is used.

As conntrack doesn't track packets without complete l4 header, only the
first fragment is tracked.

Because applying nat to first packet but not the rest makes no sense this
also turns off tracking of all fragments.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-03-08 18:02:12 +01:00
..
arp_tables.c arptables: use match, target and data copy_to_user helpers 2017-01-09 17:24:54 +01:00
arpt_mangle.c netfilter: arpt_mangle: fix return values of checkentry 2011-02-01 16:03:46 +01:00
arptable_filter.c netfilter: arp_tables: register table in initns 2016-04-07 11:58:49 +02:00
ip_tables.c iptables: use match, target and data copy_to_user helpers 2017-01-09 17:24:53 +01:00
ipt_ah.c netfilter: ipv4: whitespace around operators 2015-10-16 19:19:23 +02:00
ipt_CLUSTERIP.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-02-03 16:58:20 -05:00
ipt_ECN.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
ipt_MASQUERADE.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
ipt_REJECT.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
ipt_rpfilter.c netfilter: rpfilter: fix incorrect loopback packet judgment 2017-01-16 14:23:01 +01:00
ipt_SYNPROXY.c netfilter: add and use nf_ct_set helper 2017-02-02 14:31:54 +01:00
iptable_filter.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_mangle.c netfilter: x_tables: simplify ip{6}table_mangle_hook() 2016-07-01 16:37:02 +02:00
iptable_nat.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_raw.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_security.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
Kconfig netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
Makefile netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_conntrack_l3proto_ipv4.c netfilter: don't track fragmented packets 2017-03-08 18:02:12 +01:00
nf_conntrack_proto_icmp.c netfilter: add and use nf_ct_set helper 2017-02-02 14:31:54 +01:00
nf_defrag_ipv4.c skbuff: add and use skb_nfct helper 2017-02-02 14:31:53 +01:00
nf_dup_ipv4.c netfilter: add and use nf_ct_set helper 2017-02-02 14:31:54 +01:00
nf_log_arp.c lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
nf_log_ipv4.c netfilter: allow logging from non-init namespaces 2017-02-02 14:31:58 +01:00
nf_nat_h323.c netfilter: nf_nat_h323: fix crash in nf_ct_unlink_expect_report() 2014-02-05 17:46:05 +01:00
nf_nat_l3proto_ipv4.c netfilter: don't track fragmented packets 2017-03-08 18:02:12 +01:00
nf_nat_masquerade_ipv4.c ipv4: Don't do expensive useless work during inetdev destroy. 2016-03-13 23:28:35 -04:00
nf_nat_pptp.c netfilter: Fix removal of GRE expectation entries created by PPTP 2015-11-09 13:32:14 +01:00
nf_nat_proto_gre.c netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter 2016-09-07 10:36:52 +02:00
nf_nat_proto_icmp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_snmp_basic.c net ipv4: use preferred log methods 2015-11-18 13:37:20 -05:00
nf_reject_ipv4.c netfilter: use fwmark_reflect in nf_send_reset 2017-01-09 18:01:03 +01:00
nf_socket_ipv4.c netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_tables_arp.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_ipv4.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nft_chain_nat_ipv4.c netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nft_chain_route_ipv4.c netfilter: nft_chain_route: re-route before skb is queued to userspace 2016-09-06 18:02:37 +02:00
nft_dup_ipv4.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_fib_ipv4.c netfilter: rpfilter: fix incorrect loopback packet judgment 2017-01-16 14:23:01 +01:00
nft_masq_ipv4.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_redir_ipv4.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_reject_ipv4.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00