| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180125000007.dbg536a7ncstpoqc@salvia>
Date: Thu, 25 Jan 2018 01:00:07 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: David Miller <davem@...emloft.net>
Cc: eyal.birger@...il.com, jhs@...atatu.com, xiyou.wangcong@...il.com,
netdev@...r.kernel.org, shmulik@...anetworks.com,
eyal@...anetworks.com
Subject: Re: [PATCH net-next 2/2] net: sched: add em_ipt ematch for calling
xtables matches
On Wed, Jan 24, 2018 at 04:37:16PM -0500, David Miller wrote:
> From: Eyal Birger <eyal.birger@...il.com>
> Date: Tue, 23 Jan 2018 11:17:32 +0200
>
> > + network_offset = skb_network_offset(skb);
> > + skb_pull(skb, network_offset);
> > +
> > + rcu_read_lock();
> > +
> > + if (skb->skb_iif)
> > + indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
> > +
> > + nf_hook_state_init(&state, im->hook, im->nfproto, indev ?: skb->dev,
> > + skb->dev, NULL, em->net, NULL);
> > +
> > + acpar.match = im->match;
> > + acpar.matchinfo = im->match_data;
> > + acpar.state = &state;
> > +
> > + ret = im->match->match(skb, &acpar);
> > +
> > + rcu_read_unlock();
> > +
> > + skb_push(skb, network_offset);
>
> If the SKB is shared in any way, this pull/push around the NF hook
> invocation is illegal.
At ingress, skb->data points to the network header, which is what the
xtables matches expect, so these are actually noops, therefore,
skb_pull() and skb_push() can be removed.
Powered by blists - more mailing lists