| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jun 2023 14:38:10 +0200 From: Florian Westphal <fw@...len.de> To: <netdev@...r.kernel.org> Cc: Florian Westphal <fw@...len.de> Subject: [PATCH net v3 0/3] net/sched: act_ipt bug fixes v3: prefer skb_header() helper in patch 2. No other changes. I've retained Acks and RvB-Tags of v2. While checking if netfilter could be updated to replace selected instances of NF_DROP with kfree_skb_reason+NF_STOLEN to improve debugging info via drop monitor I found that act_ipt is incompatible with such an approach. Moreover, it lacks multiple sanity checks to avoid certain code paths that make assumptions that the tc layer doesn't meet, such as header sanity checks, availability of skb_dst, skb_nfct() and so on. act_ipt test in the tc selftest still pass with this applied. I think that we should consider removal of this module, while this should take care of all problems, its ipv4 only and I don't think there are any netfilter targets that lack a native tc equivalent, even when ignoring bpf. Florian Westphal (3): net/sched: act_ipt: add sanity checks on table name and hook locations net/sched: act_ipt: add sanity checks on skb before calling target net/sched: act_ipt: zero skb->cb before calling target net/sched/act_ipt.c | 70 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 63 insertions(+), 7 deletions(-) -- 2.39.3
Powered by blists - more mailing lists