lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170206114432.GA15498@salvia>
Date:   Mon, 6 Feb 2017 12:44:32 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Kevin Cernekee <cernekee@...omium.org>
Cc:     dianders@...omium.org, davem@...emloft.net,
        netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH V2 1/2] netfilter: ctnetlink: Fix regression in
 CTA_STATUS processing

On Thu, Jan 26, 2017 at 02:49:43PM -0800, Kevin Cernekee wrote:
> The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
> when building a CTA_STATUS attribute.  If this toggles the bit from
> 0->1, the parser will return an error.  On Linux 4.4+ this will cause any
> NFQA_EXP attribute in the packet to be ignored.  This breaks conntrackd's
> userland helpers because they operate on unconfirmed connections.
> 
> Instead of returning -EBUSY if the user program asks to modify an
> unchangeable bit, simply ignore the change.
> 
> Also, fix the logic so that user programs are allowed to clear
> the bits that they are allowed to change.

Applied, thanks Kevin.

I have manually fixed here this compilation warning, btw:

net/netfilter/nf_conntrack_netlink.c:1449:1: warning:
‘ctnetlink_update_status’ defined but not used [-Wunused-function] ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
 ^

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ