git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Patrick McHardy <kaber@trash.net>
	Tue, 15 Dec 2009 15:59:59 +0000 (16:59 +0100)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Wed, 6 Jan 2010 23:04:40 +0000 (15:04 -0800)
commit	048a424c2826ccbeb9b08bc3a8c6bc7acbd3116d
tree	c1626ee2c2873f2b08ad6d6fcec4caaad6ada359	tree \| snapshot
parent	89cf4f4c853f1f9619d58d89aa7d1fc56e24ee3a	commit \| diff

netfilter: fix crashes in bridge netfilter caused by fragment jumps

commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497 upstream.

When fragments from bridge netfilter are passed to IPv4 or IPv6 conntrack
and a reassembly queue with the same fragment key already exists from
reassembling a similar packet received on a different device (f.i. with
multicasted fragments), the reassembled packet might continue on a different
codepath than where the head fragment originated. This can cause crashes
in bridge netfilter when a fragment received on a non-bridge device (and
thus with skb->nf_bridge == NULL) continues through the bridge netfilter
code.

Add a new reassembly identifier for packets originating from bridge
netfilter and use it to put those packets in insolated queues.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14805

Reported-and-Tested-by: Chong Qiao <qiaochong@loongson.cn>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

include/net/ip.h		diff \| blob \| history
include/net/ipv6.h		diff \| blob \| history
net/ipv4/netfilter/nf_defrag_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c		diff \| blob \| history