lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200526114544.2510d245@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net>
Date:   Tue, 26 May 2020 11:45:44 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org
Subject: Re: [PATCH 4/5] netfilter: conntrack: make conntrack userspace
 helpers work again

On Mon, 25 May 2020 23:54:19 +0200 Pablo Neira Ayuso wrote:
> +/* This packet is coming from userspace via nf_queue, complete the packet
> + * processing after the helper invocation in nf_confirm().
> + */
> +static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
> +			       enum ip_conntrack_info ctinfo)
> +{
> +	const struct nf_conntrack_helper *helper;
> +	const struct nf_conn_help *help;
> +	unsigned int protoff;
> +
> +	help = nfct_help(ct);
> +	if (!help)
> +		return 0;
> +
> +	helper = rcu_dereference(help->helper);
> +	if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
> +		return 0;
> +
> +	switch (nf_ct_l3num(ct)) {
> +	case NFPROTO_IPV4:
> +		protoff = skb_network_offset(skb) + ip_hdrlen(skb);
> +		break;
> +#if IS_ENABLED(CONFIG_IPV6)
> +	case NFPROTO_IPV6: {
> +		__be16 frag_off;
> +		u8 pnum;
> +
> +		pnum = ipv6_hdr(skb)->nexthdr;
> +		protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
> +					   &frag_off);
> +		if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
> +			return 0;
> +		break;
> +	}

net/netfilter/nf_conntrack_core.c: In function nf_confirm_cthelper:
net/netfilter/nf_conntrack_core.c:2117:15: warning: comparison of unsigned expression in < 0 is always false [-Wtype-limits]
 2117 |   if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
      |               ^

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ