lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 2 Jun 2008 14:11:42 +0300
From:	"Rami Rosen" <ramirose@...il.com>
To:	"Patrick McHardy" <kaber@...sh.net>
Cc:	"David Miller" <davem@...emloft.net>,
	netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH net-2.6] [NETFILTER] Misc Cleanups.

Hi,
  - Thanks for your comments; I was not aware that this issues occur
in other places too; attached here is another patch, fixing where
applicable in ip6_queue and nfnetlink_queue.

  1) in net/ipv6/netfilter/ip6_queue.c
    - No need to perform data_len = 0 in the switch command, since data_len
	   is initialized to 0 in the beginning of the
ipq_build_packet_message() method
    - We can reach nlmsg_failure only from one place; skb is sure to be NULL
	     when getting there; since skb is NULL, there is no need to check this fact
	     and call kfree_skb().

2) in net/netfilter/nfnetlink_queue.c:
    - No need to perform data_len = 0 in the switch command, since data_len
	   is initialized to 0 in the beginning of the
nfqnl_build_packet_message() method

(Note: here, as opposed to previous patch, nlmsg_failure must check
skb and free it if it is not NULL, so the call to kfree_skb() is
needed , so it is not removed)
	
 	

Regards,
Rami Rosen


Signed-off-by: Rami Rosen <ramirose@...il.com>


On Mon, Jun 2, 2008 at 12:46 PM, Patrick McHardy <kaber@...sh.net> wrote:
> David Miller wrote:
>>
>> Forwarding to netfilter-devel where this belongs...
>
> Thanks.
>
>>        In this patch, these three fixes were made in
>> net/ipv4/netfilter/ip_queue.c:
>>
>>        1) No need to perform data_len = 0 in the switch command, since
>> data_len
>>           is initialized to 0 in the beginning of the method
>> ,ipq_build_packet_message().
>>
>>        2) We can reach nlmsg_failure only from one place; skb is sure to
>> be NULL
>>           when getting there; since skb is NULL, there is no need to check
>> this fact
>>           and call kfree_skb().
>>
>>        3) Add #ifdef CONFIG_PROC_FS when removing the VFS entry,
>>                 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
>>
>>
>> Regards,
>> Rami Rosen
>>
>>
>> Signed-off-by: Rami Rosen <ramirose@...il.com>
>
> 1) also affects ip6_queue and nfnetlink_queue
> 2) also affects ip6_queue
> 3) is unnecessary since proc_net_remove is a NOP without
>   CONFIG_PROC_FS
>
> Please update your patch to also change ip6_queue and
> nfnetlink_queue where applicable. Thanks.
>
>
>

View attachment "patch.txt" of type "text/plain" (1068 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ