lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wiAgNCLq2Lv4qu08P1SRv0D3mXLCqPq-XGJiTbGrP=omg@mail.gmail.com>
Date:   Mon, 21 Feb 2022 09:56:10 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Woody Suwalski <wsuwalski@...il.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Pablo Neira Ayuso <pablo@...filter.org>,
        Florian Westphal <fw@...len.de>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Netdev <netdev@...r.kernel.org>
Subject: Re: Linux 5.17-rc5

On Mon, Feb 21, 2022 at 6:23 AM Woody Suwalski <wsuwalski@...il.com> wrote:
>
> Compile failed like reported by Robert Gadson in
> https://lkml.org/lkml/2022/2/20/341
>
> As a workaround:
> nf_defrag_ipv6.patch
> --- a/net/netfilter/xt_socket.c    2022-02-21 07:29:21.938263397 -0500
> +++ b/net/netfilter/xt_socket.c    2022-02-21 07:40:16.730022272 -0500
> @@ -17,11 +17,11 @@
>   #include <net/inet_sock.h>
>   #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
>
> -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +//#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
>   #include <linux/netfilter_ipv6/ip6_tables.h>
...

Hmm. That may fix the compile failure, but it looks somewhat broken to me.

Other cases of nf_defrag_ipv6_disable() end up being protected by

   #if IS_ENABLED(CONFIG_NF_TABLES_IPV6)

at the use-point, not by just assuming it always exists even when
CONFIG_NF_TABLES_IPV6 is off.

So I think the proper fix is something along the lines of

  --- a/net/netfilter/xt_socket.c
  +++ b/net/netfilter/xt_socket.c
  @@ -220,8 +220,10 @@ static void socket_mt_destroy(const struct
xt_mtdtor_param *par)
   {
        if (par->family == NFPROTO_IPV4)
                nf_defrag_ipv4_disable(par->net);
  +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
        else if (par->family == NFPROTO_IPV6)
                nf_defrag_ipv6_disable(par->net);
  +#endif
   }

instead. Entirely untested, because that's how I roll, but I suspect
the netfilter people will know what to do.

Added guilty parties and mailing list to the participants.

                Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ