OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/net/netfilter
History
Stephen Suryaputra 666d1d1a05 netfilter: nf_tables: nft_exthdr: the presence return value should be little-endian 
[ Upstream commit b428336676 ]

On big-endian machine, the returned register data when the exthdr is
present is not being compared correctly because little-endian is
assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval()
and nft_cmp_fast_init(), calls cpu_to_le32().

The following dump also shows that little endian is assumed:

$ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter
ip
  [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ]
  [ cmp eq reg 1 0x01000000 ]
  [ counter pkts 0 bytes 0 ]

Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when
RR option exists in the packet shows that the comparison fails because
the assumption:

nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0
nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000

v2: use nft_reg_store8() instead (Florian Westphal). Also to avoid the
    warnings reported by kernel test robot.

Fixes: dbb5281a1f ("netfilter: nf_tables: add support for matching IPv4 options")
Fixes: c078ca3b0c ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-08-26 10:40:59 +02:00
..
ipset netfilter: ipset: call ip_set_free() instead of kfree() 2020-07-16 08:16:37 +02:00
ipvs ipvs: allow connection reuse for unconfirmed conntrack 2020-08-19 08:16:10 +02:00
Kconfig
Makefile
core.c
nf_conncount.c
nf_conntrack_acct.c
nf_conntrack_amanda.c
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: conntrack: refetch conntrack after nf_conntrack_update() 2020-07-16 08:16:38 +02:00
nf_conntrack_ecache.c
nf_conntrack_expect.c
nf_conntrack_extend.c
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c
nf_conntrack_irc.c
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: netns exit must wait for callbacks 2020-01-12 12:21:13 +01:00
nf_conntrack_pptp.c netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build 2020-06-03 08:21:39 +02:00
nf_conntrack_proto.c
nf_conntrack_proto_dccp.c netfilter: conntrack: dccp, sctp: handle null timeout argument 2020-01-14 20:08:39 +01:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c
nf_conntrack_proto_icmp.c
nf_conntrack_proto_icmpv6.c
nf_conntrack_proto_sctp.c netfilter: conntrack: sctp: use distinct states for new SCTP connections 2020-02-05 21:22:52 +00:00
nf_conntrack_proto_tcp.c
nf_conntrack_proto_udp.c
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: nf_conntrack: ct_cpu_seq_next should increase position index 2020-03-18 07:17:49 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c
nf_flow_table_core.c
nf_flow_table_inet.c
nf_flow_table_ip.c netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6} 2020-04-01 11:02:09 +02:00
nf_internals.h
nf_log.c
nf_log_common.c
nf_log_netdev.c
nf_nat_amanda.c
nf_nat_core.c
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c
nf_nat_proto.c netfilter: nat: never update the UDP checksum when it's 0 2020-05-14 07:58:29 +02:00
nf_nat_redirect.c
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: nf_queue: enqueue skbs with NULL dst 2020-01-09 10:20:03 +01:00
nf_sockopt.c
nf_synproxy_core.c netfilter: synproxy: synproxy_cpu_seq_next should increase position index 2020-03-18 07:17:49 +01:00
nf_tables_api.c netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type 2020-04-23 10:36:19 +02:00
nf_tables_core.c
nf_tables_offload.c netfilter: nf_tables_offload: fix check the chain offload flag 2020-02-05 21:22:52 +00:00
nf_tables_set_core.c
nf_tables_trace.c
nfnetlink.c netfilter: nf_tables: autoload modules from the abort path 2020-01-29 16:45:33 +01:00
nfnetlink_acct.c
nfnetlink_cthelper.c netfilter: nfnetlink_cthelper: unbreak userspace helper support 2020-06-03 08:21:35 +02:00
nfnetlink_cttimeout.c
nfnetlink_log.c
nfnetlink_osf.c netfilter: nf_osf: avoid passing pointer to local var 2020-05-14 07:58:29 +02:00
nfnetlink_queue.c
nft_bitwise.c netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() 2020-01-12 12:21:18 +01:00
nft_byteorder.c
nft_chain_filter.c
nft_chain_nat.c netfilter: nft_chain_nat: inet family is missing module ownership 2020-03-18 07:17:58 +01:00
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() 2020-01-12 12:21:18 +01:00
nft_compat.c
nft_connlimit.c
nft_counter.c
nft_ct.c
nft_dup_netdev.c
nft_dynset.c
nft_exthdr.c netfilter: nf_tables: nft_exthdr: the presence return value should be little-endian 2020-08-26 10:40:59 +02:00
nft_fib.c
nft_fib_inet.c
nft_fib_netdev.c
nft_flow_offload.c netfilter: nft_flow_offload: fix underflow in flowtable reference counter 2020-01-17 19:48:19 +01:00
nft_fwd_netdev.c net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-04-01 11:02:18 +02:00
nft_hash.c
nft_immediate.c
nft_limit.c
nft_log.c
nft_lookup.c
nft_masq.c
nft_meta.c netfilter: nft_meta: use 64-bit time arithmetic 2020-01-17 19:48:33 +01:00
nft_nat.c netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported 2020-06-22 09:31:00 +02:00
nft_numgen.c
nft_objref.c
nft_osf.c netfilter: nft_osf: add missing check for DREG attribute 2020-01-29 16:45:29 +01:00
nft_payload.c netfilter: nft_payload: add missing attribute validation for payload csum flags 2020-03-18 07:17:57 +01:00
nft_queue.c
nft_quota.c
nft_range.c netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() 2020-01-12 12:21:18 +01:00
nft_redir.c
nft_reject.c
nft_reject_inet.c
nft_rt.c
nft_set_bitmap.c
nft_set_hash.c
nft_set_rbtree.c netfilter: nft_set_rbtree: Add missing expired checks 2020-05-20 08:20:25 +02:00
nft_socket.c
nft_synproxy.c
nft_tproxy.c netfilter: nft_tproxy: Fix port selector on Big Endian 2020-01-09 10:19:54 +01:00
nft_tunnel.c netfilter: nft_tunnel: add missing attribute validation for tunnels 2020-03-18 07:17:57 +01:00
nft_xfrm.c
utils.c
x_tables.c netfilter: x_tables: xt_mttg_seq_next should increase position index 2020-03-18 07:17:50 +01:00
xt_AUDIT.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c
xt_DSCP.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
xt_LED.c
xt_LOG.c
xt_MASQUERADE.c
xt_NETMAP.c
xt_NFLOG.c
xt_NFQUEUE.c
xt_RATEEST.c
xt_REDIRECT.c
xt_SECMARK.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_TEE.c
xt_TPROXY.c
xt_TRACE.c
xt_addrtype.c
xt_bpf.c
xt_cgroup.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c
xt_connmark.c
xt_conntrack.c
xt_cpu.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: unregister proc file before releasing mutex 2020-03-21 08:11:46 +01:00
xt_helper.c
xt_hl.c
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c
xt_nfacct.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_realm.c
xt_recent.c netfilter: xt_recent: recent_seq_next should increase position index 2020-03-18 07:17:49 +01:00
xt_repldata.h
xt_sctp.c
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_tcpudp.c
xt_time.c
xt_u32.c