| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Dec 2013 12:38:04 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: valentina.giusti@...-carit.de
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
jpa@...gle.com, fw@...nel.de, daniel.wagner@...-carit.de
Subject: Re: [PATCH v4 2/2] libnetfilter_queue: add support for UID/GID
socket info
Hi,
On Fri, Dec 20, 2013 at 05:28:54PM +0100, valentina.giusti@...-carit.de wrote:
[...]
> diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> index 81a485b..884ab0e 100644
> --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
> +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> @@ -50,6 +50,8 @@ enum nfqnl_attr_type {
> NFQA_CAP_LEN, /* __u32 length of captured packet */
> NFQA_SKB_INFO, /* __u32 skb meta information */
>
> + NFQA_UID, /* __u32 sk uid */
> + NFQA_GID, /* __u32 sk gid */
This update is wrong. See below the reason why.
> __NFQA_MAX
> };
> #define NFQA_MAX (__NFQA_MAX - 1)
> @@ -101,7 +103,8 @@ enum nfqnl_attr_config {
> #define NFQA_CFG_F_FAIL_OPEN (1 << 0)
> #define NFQA_CFG_F_CONNTRACK (1 << 1)
> #define NFQA_CFG_F_GSO (1 << 2)
> -#define NFQA_CFG_F_MAX (1 << 3)
> +#define NFQA_CFG_F_UID_GID (1 << 3)
> +#define NFQA_CFG_F_MAX (1 << 4)
>
> /* flags for NFQA_SKB_INFO */
> /* packet appears to have wrong checksums, but they are ok */
> diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
> index a2308ae..22f5d45 100644
> --- a/include/linux/netfilter/nfnetlink_queue.h
> +++ b/include/linux/netfilter/nfnetlink_queue.h
> @@ -46,6 +46,9 @@ enum nfqnl_attr_type {
> NFQA_CT_INFO, /* enum ip_conntrack_info */
> NFQA_CAP_LEN, /* __u32 length of captured packet */
> NFQA_SKB_INFO, /* __u32 skb meta information */
> + NFQA_EXP, /* nf_conntrack_netlink.h */
> + NFQA_UID, /* __u32 sk uid */
> + NFQA_GID, /* __u32 sk gid */
You have manually updated libnetfilter_queue/linux_nfnetlink_queue.h,
but you forgot to include NFQA_EXP. The result is that your
nfq_get_uid() returns the NFQA_EXP attribute and nfq_get_gid() returns
the NFQA_UID attribute.
You should have noticed it with a simple run of utils/nfqnl_test run
and a couple of printf to test it. I'm afraid that you're not giving
sufficient testing to your patches.
Fix it and resubmit, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists