git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 3 Mar 2017 20:44:00 +0000 (21:44 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 8 Mar 2017 17:02:12 +0000 (18:02 +0100)
commit	37c62ba7a727f6b1d9c6de771e5417ff58974386
tree	c4bbce5d29dfa51fa2a5d02b657b432adbfea30a	tree \| snapshot
parent	a28192c2f4fccb5495e4b4ef30520e7f324f473b	commit \| diff

netfilter: don't track fragmented packets

Andrey reports syzkaller splat caused by

NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));

in ipv4 nat. But this assertion (and the comment) are wrong, this function
does see fragments when IP_NODEFRAG setsockopt is used.

As conntrack doesn't track packets without complete l4 header, only the
first fragment is tracked.

Because applying nat to first packet but not the rest makes no sense this
also turns off tracking of all fragments.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c		diff \| blob \| history
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c		diff \| blob \| history