| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4BEDA3CA.4030407@trash.net>
Date: Fri, 14 May 2010 21:26:02 +0200
From: Patrick McHardy <kaber@...sh.net>
To: Jason Gunthorpe <jgunthorpe@...idianresearch.com>
CC: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCHv2] netfilter: Remove skb_is_nonlinear check from nf_conntrack_sip
Patrick McHardy wrote:
> Jason Gunthorpe wrote:
>> On Fri, May 14, 2010 at 08:13:03PM +0200, Patrick McHardy wrote:
>>> Your patch is based on an old version, the current version also
>>> supports TCP. I'll commit this patch to my tree after some testing.
>> Thanks!
>>
>>> diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
>>> index b20f427..45750cc 100644
>>> +++ b/net/netfilter/nf_conntrack_sip.c
>>> @@ -1393,10 +1393,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
>>>
>>> nf_ct_refresh(ct, skb, sip_timeout * HZ);
>>>
>>> - if (skb_is_nonlinear(skb)) {
>>> - pr_debug("Copy of skbuff not supported yet.\n");
>>> + if (unlikely(skb_linearize(skb)))
>>> return NF_ACCEPT;
>>> - }
>> Should this be NF_DROP? As I understand it skb_linearize only failes
>> if it runs out of memory, which probably means dropping is OK. But
>> passing a packet that might need rewriting could be harmful..
>
> We so far also didn't rewrite the packet. But agreed, its
> a corner case and dropping it is the safer choice.
This is what I've added to my tree. Tested with asterisk and TSO
enabled NIC, which fails without this patch.
View attachment "x" of type "text/plain" (1463 bytes)
Powered by blists - more mailing lists