Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2234991ybi; Thu, 20 Jun 2019 11:20:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqxcKv//tC37qGanTs1xIoQYbswZOWkTfF+7mWACFOuxv4+5kfeFVtJjlzZ9pJ8eIlAYZZmK X-Received: by 2002:a65:50c3:: with SMTP id s3mr13962088pgp.177.1561054816975; Thu, 20 Jun 2019 11:20:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561054816; cv=none; d=google.com; s=arc-20160816; b=IwYHELXeKbqtZm1OApKotk9Y90fktQtcshQqffZd0cdWfwJuwbMOiDPMi2CE28KfG5 UdDfguDptGewPd5t/7rj+yQMtO/g5qRi7V6VGHvox/puaWzzjdC4YmYrFLQb98g3GcXR GiC5Nfvf4N1B1kXfAhr9h3hCP8xevlNC51p2Pj5odur1KUgmaec5svdDtP0F+JNCVhwx vTNlM10VI1kniujUsTOFDi9S8oH6+W2sOJr8ZJs0jl2JtoEyXlGhQT5FiXWGQqFcxPKa CvP0G4pQm0PVrLAjx72c9R5iBT1smBSlmO6O+8C40vOz3xM7giao/703zAzMer3Rw0nD jtDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GEgIUvloIR0dY14CxWZJaVdSGIZKkKf+I9Bhk/BUlJY=; b=z3ZT3LquepCSL3kb71dRSipIzmDtjqjYfgpl7RqNToD+MN80zXOwOgTOquspzA/Ml9 A5vEYIWYMli+bFNbxN9/zm4wDujVRT/1oFIT+VujSmPSm65bw7qekdEx8OtMqc2deAQY sOJQpGu5Dk+AAJAohPJeAhxVrwQXU9ARo6xKI+10McoDfTjcUjXyJY7Ma8uQvXQxV0Ro KfNHR8txqGihPMWo7ul5DE/rqB+v/xfDw1sDQ7s9+xi8nTvMFRGJrsVhwSIrrn4tP5+Z tCysqj/RHYomn5lXJM17aGBfrUhkmEF0hI+fBWEiHkxt1Al6Nqy5x6dZ+EY8DbIsz5Bj fO6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n0deR8UA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v62si197127pfv.63.2019.06.20.11.20.01; Thu, 20 Jun 2019 11:20:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n0deR8UA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727073AbfFTSOh (ORCPT + 99 others); Thu, 20 Jun 2019 14:14:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:42850 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729453AbfFTSOa (ORCPT ); Thu, 20 Jun 2019 14:14:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 504DF205F4; Thu, 20 Jun 2019 18:14:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561054469; bh=UA8CJVHl22WRCysNGAs/ioVTOP1RLKtNLe+cIK4dq6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n0deR8UAGxL2dZ+J70UEjCbiZWmLU3ZDlTqbStj0/REGJKRvmR02NjTzRCKWNB8Y3 yKdVzxZcLW5GH6dNbcz4j9s6s+4xi9ZEM6HjrjMru45YX0c1vI+cYRNZ6CtrbfqkxQ MoWwtA7ZqAJNv853Xx7zUHYqNZCZr28U1fIPqw3s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jagdish Motwani , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.1 39/98] netfilter: nf_queue: fix reinject verdict handling Date: Thu, 20 Jun 2019 19:57:06 +0200 Message-Id: <20190620174350.871488415@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190620174349.443386789@linuxfoundation.org> References: <20190620174349.443386789@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 946c0d8e6ed43dae6527e878d0077c1e11015db0 ] This patch fixes netfilter hook traversal when there are more than 1 hooks returning NF_QUEUE verdict. When the first queue reinjects the packet, 'nf_reinject' starts traversing hooks with a proper hook_index. However, if it again receives a NF_QUEUE verdict (by some other netfilter hook), it queues the packet with a wrong hook_index. So, when the second queue reinjects the packet, it re-executes hooks in between. Fixes: 960632ece694 ("netfilter: convert hook list to an array") Signed-off-by: Jagdish Motwani Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_queue.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index a36a77bae1d6..5b86574e7b89 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c @@ -254,6 +254,7 @@ static unsigned int nf_iterate(struct sk_buff *skb, repeat: verdict = nf_hook_entry_hookfn(hook, skb, state); if (verdict != NF_ACCEPT) { + *index = i; if (verdict != NF_REPEAT) return verdict; goto repeat; -- 2.20.1