| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160926163920.GB17426@breakpoint.cc>
Date: Mon, 26 Sep 2016 18:39:20 +0200
From: Florian Westphal <fw@...len.de>
To: Aaron Conole <aconole@...heb.org>
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
Florian Westphal <fw@...len.de>,
Pablo Neira Ayuso <pablo@...filter.org>
Subject: Re: [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different
kconfig
Aaron Conole <aconole@...heb.org> wrote:
> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
> the request for registration properly by dropping the hook. This
> releases the entry during the set.
>
> Signed-off-by: Aaron Conole <aconole@...heb.org>
> ---
> net/netfilter/core.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index e58e420..1d0a4c9 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg,
> {
> switch (reg->pf) {
> case NFPROTO_NETDEV:
> +#ifdef CONFIG_NETFILTER_INGRESS
> /* We already checked in nf_register_net_hook() that this is
> * used from ingress.
> */
> rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry);
> +#else
> + kfree(entry);
> +#endif
> break;
This looks dodgy (its correct though).
I'd propose to add a test to nf_register_net_hook()
to bail with -EOPNOSTUPP instead of this "#else kfree()" if we get
NFPROTO_NETDEV pf with CONFIG_NETFILTER_INGRESS=n build instead.
Powered by blists - more mailing lists