Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/net/ipv6
History
Florian Westphal e36cedc2d0 netfilter: x_tables: fix unconditional helper 
Ben Hawkes says:

 In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
 is possible for a user-supplied ipt_entry structure to have a large
 next_offset field. This field is not bounds checked prior to writing a
 counter value at the supplied offset.

Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.

However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.

However, an unconditional rule must also not be using any matches
(no -m args).

The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.

Unify this so that all the callers have same idea of 'unconditional rule'.

Change-Id: I9f03d0c10a5f6a55a0320be1227f9fbf7cc1ea12
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-10-29 23:12:35 +08:00
..
netfilter netfilter: x_tables: fix unconditional helper 2016-10-29 23:12:35 +08:00
addrconf.c ipv6: clean up anycast when an interface is destroyed 2016-10-29 23:12:33 +08:00
addrconf_core.c
addrlabel.c
af_inet6.c net: add validation for the socket syscall protocol argument 2016-10-29 23:12:11 +08:00
ah6.c
anycast.c ipv6: clean up anycast when an interface is destroyed 2016-10-29 23:12:33 +08:00
datagram.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
esp6.c
exthdrs.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
exthdrs_core.c
fib6_rules.c
icmp.c net: add a sysctl to reflect the fwmark on replies 2014-05-12 22:39:57 -07:00
inet6_connection_sock.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
inet6_hashtables.c
ip6_fib.c
ip6_flowlabel.c
ip6_input.c
ip6_output.c
ip6_tunnel.c
ip6mr.c
ipcomp6.c
ipv6_sockglue.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
Kconfig
Makefile
mcast.c
mip6.c
ndisc.c ipv6: Don't reduce hop limit for an interface 2016-10-29 23:12:10 +08:00
netfilter.c
ping.c net: ping: Return EAFNOSUPPORT when appropriate. 2015-05-20 15:24:04 +09:00
proc.c
protocol.c
raw.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
reassembly.c
route.c Set the iif for IPv6 packets as well. 2015-05-20 15:36:18 +09:00
sit.c
syncookies.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
sysctl_net_ipv6.c net: add a sysctl to reflect the fwmark on replies 2014-05-12 22:39:57 -07:00
tcp_ipv6.c ipv6: add complete rcu protection around np->opt 2016-06-17 02:54:32 +00:00
tunnel6.c
udp.c udp: fix behavior of wrong checksums 2016-10-29 23:12:10 +08:00
udp_impl.h
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_state.c
xfrm6_tunnel.c