Received: by 10.213.65.68 with SMTP id h4csp218173imn; Fri, 23 Mar 2018 03:08:50 -0700 (PDT) X-Google-Smtp-Source: AG47ELudzo3+FZMVCRPRtnnt184GJeucJmzCNzsfw0OfA7lGnDKI6h7W5DcPysl4Ks+45/aPOvx2 X-Received: by 2002:a17:902:a981:: with SMTP id bh1-v6mr29422349plb.255.1521799730895; Fri, 23 Mar 2018 03:08:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521799730; cv=none; d=google.com; s=arc-20160816; b=jqj22s5+8eviXpC70Y2LgXxL8B40OsCBJlOgaHE+v76jthV9/YX5CQaeU+XaGjeI6R yadsdA6loZIjt7M1OIt9gqXNL2eupFXLa126rzuL79oldgQs6/hvGfGcKsyhx4Od6lnH vuqIfx7CjanDvDGULYGX9Cxbt0q8JqS4pNJhAmpA7ePjMoW60SX0SXsvF6yiwUgUkEHS 3gxx7SC2UgC+dWFGpVoxtUCOdJmfz1Je5S9Qw1h7g6MPzh3ZY0mklTq7saK6iCWB9xPM bY0bQqvhPEm+0NsrZltLz+6dHJj8N3gz7RbQKQswAFzaK4edtU4TASfomj1rKgKIbQnr 6+bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=hBnyq/ubrerktkoaJ5no4mFuXb2LzptGz68vf1FFggY=; b=Uha08iPte9igE42m/61+sYZJktvFAqUdHQ8Xv8tVSHXn1QnyP2zDeNDZ9Lz1SvrMdM JGrfHkWwHUAEjP+nYEaAraiEfmj5cnSJXDXQhEGEKgvZh6LzpvPqrrAV63pGmlAm/Rnr WSCEqpXEGL0bTNgNm4+jVhuFuDOlIdeiAWei5QG/8BxCD3EDaC9svpaxYZeWCWb1mJE7 EQIcG25OJLDhNcGw+H/rczvBLpQ9/O2nk2y532sVlWFTsgHba63zFL3tnmTq2Xe2NdO2 y9xK8UshOAG5/747GFuqmOj0yT11ljCPoKxWIfwpfVMSnlhbKCSwltLyfHrTs1/OX1fs UJig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 19si5844990pgg.395.2018.03.23.03.08.36; Fri, 23 Mar 2018 03:08:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755310AbeCWKH1 (ORCPT + 99 others); Fri, 23 Mar 2018 06:07:27 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:41210 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755013AbeCWKHY (ORCPT ); Fri, 23 Mar 2018 06:07:24 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 548CAD2D; Fri, 23 Mar 2018 10:07:23 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liping Zhang , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.9 060/177] netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink Date: Fri, 23 Mar 2018 10:53:08 +0100 Message-Id: <20180323094207.990467581@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323094205.090519271@linuxfoundation.org> References: <20180323094205.090519271@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Liping Zhang [ Upstream commit 66e5a6b18bd09d0431e97cd3c162e76c5c2aebba ] cthelpers added via nfnetlink may have the same tuple, i.e. except for the l3proto and l4proto, other fields are all zero. So even with the different names, we will also fail to add them: # nfct helper add ssdp inet udp # nfct helper add tftp inet udp nfct v1.4.3: netlink error: File exists So in order to avoid unpredictable behaviour, we should: 1. cthelpers can be selected by nft ct helper obj or xt_CT target, so report error if duplicated { name, l3proto, l4proto } tuple exist. 2. cthelpers can be selected by nf_ct_tuple_src_mask_cmp when nf_ct_auto_assign_helper is enabled, so also report error if duplicated { l3proto, l4proto, src-port } tuple exist. Also note, if the cthelper is added from userspace, then the src-port will always be zero, it's invalid for nf_ct_auto_assign_helper, so there's no need to check the second point listed above. Fixes: 893e093c786c ("netfilter: nf_ct_helper: bail out on duplicated helpers") Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_helper.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -379,17 +379,33 @@ int nf_conntrack_helper_register(struct struct nf_conntrack_tuple_mask mask = { .src.u.all = htons(0xFFFF) }; unsigned int h = helper_hash(&me->tuple); struct nf_conntrack_helper *cur; - int ret = 0; + int ret = 0, i; BUG_ON(me->expect_policy == NULL); BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); mutex_lock(&nf_ct_helper_mutex); - hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { - if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) { - ret = -EEXIST; - goto out; + for (i = 0; i < nf_ct_helper_hsize; i++) { + hlist_for_each_entry(cur, &nf_ct_helper_hash[i], hnode) { + if (!strcmp(cur->name, me->name) && + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { + ret = -EEXIST; + goto out; + } + } + } + + /* avoid unpredictable behaviour for auto_assign_helper */ + if (!(me->flags & NF_CT_HELPER_F_USERSPACE)) { + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { + ret = -EEXIST; + goto out; + } } } hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);