lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131221113804.GA17964@localhost>
Date:	Sat, 21 Dec 2013 12:38:04 +0100
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	valentina.giusti@...-carit.de
Cc:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	jpa@...gle.com, fw@...nel.de, daniel.wagner@...-carit.de
Subject: Re: [PATCH v4 2/2] libnetfilter_queue: add support for UID/GID
 socket info

Hi,

On Fri, Dec 20, 2013 at 05:28:54PM +0100, valentina.giusti@...-carit.de wrote:
[...]
> diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> index 81a485b..884ab0e 100644
> --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
> +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> @@ -50,6 +50,8 @@ enum nfqnl_attr_type {
>  	NFQA_CAP_LEN,                   /* __u32 length of captured packet */
>  	NFQA_SKB_INFO,                  /* __u32 skb meta information */
>  
> +	NFQA_UID,			/* __u32 sk uid */
> +	NFQA_GID,			/* __u32 sk gid */

This update is wrong. See below the reason why.

>  	__NFQA_MAX
>  };
>  #define NFQA_MAX (__NFQA_MAX - 1)
> @@ -101,7 +103,8 @@ enum nfqnl_attr_config {
>  #define NFQA_CFG_F_FAIL_OPEN		(1 << 0)
>  #define NFQA_CFG_F_CONNTRACK		(1 << 1)
>  #define NFQA_CFG_F_GSO			(1 << 2)
> -#define NFQA_CFG_F_MAX			(1 << 3)
> +#define NFQA_CFG_F_UID_GID		(1 << 3)
> +#define NFQA_CFG_F_MAX			(1 << 4)
>  
>  /* flags for NFQA_SKB_INFO */
>  /* packet appears to have wrong checksums, but they are ok */
> diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
> index a2308ae..22f5d45 100644
> --- a/include/linux/netfilter/nfnetlink_queue.h
> +++ b/include/linux/netfilter/nfnetlink_queue.h
> @@ -46,6 +46,9 @@ enum nfqnl_attr_type {
>  	NFQA_CT_INFO,			/* enum ip_conntrack_info */
>  	NFQA_CAP_LEN,			/* __u32 length of captured packet */
>  	NFQA_SKB_INFO,			/* __u32 skb meta information */
> +	NFQA_EXP,			/* nf_conntrack_netlink.h */
> +	NFQA_UID,			/* __u32 sk uid */
> +	NFQA_GID,			/* __u32 sk gid */

You have manually updated libnetfilter_queue/linux_nfnetlink_queue.h,
but you forgot to include NFQA_EXP. The result is that your
nfq_get_uid() returns the NFQA_EXP attribute and nfq_get_gid() returns
the NFQA_UID attribute.

You should have noticed it with a simple run of utils/nfqnl_test run
and a couple of printf to test it. I'm afraid that you're not giving
sufficient testing to your patches.

Fix it and resubmit, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ