linux/net/ipv6/netfilter
Florian Westphal c6675233f9 netfilter: nf_queue: reject NF_STOLEN verdicts from userspace
A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak.

This problem was previously fixed via
64507fdbc2 (netfilter:
nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because
NF_STOLEN can also be returned by a netfilter hook when iterating the
rules in nf_reinject.

Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw.

This is complementary to commit fad5444043
(netfilter: avoid double free in nf_reinject).

Cc: Julian Anastasov <ja@ssi.bg>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-08-30 15:01:20 +02:00
..
ip6_queue.c netfilter: nf_queue: reject NF_STOLEN verdicts from userspace 2011-08-30 15:01:20 +02:00
ip6_tables.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2011-04-19 11:24:06 -07:00
ip6t_ah.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_eui64.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_frag.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_hbh.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_ipv6header.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ip6t_LOG.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-02-19 19:17:35 -08:00
ip6t_mh.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_REJECT.c netfilter: IPv6: initialize TOS field in REJECT target module 2011-05-10 09:55:44 +02:00
ip6t_rt.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6table_filter.c netfilter: cleanup printk messages 2010-05-13 15:02:08 +02:00
ip6table_mangle.c netfilter: ip6table_mangle: Fix set-but-unused variables. 2011-04-17 17:06:15 -07:00
ip6table_raw.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ip6table_security.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig netfilter: fix module dependency issues with IPv6 defragmentation, ip6tables and xt_TPROXY 2010-10-25 13:58:36 -07:00
Makefile Net: ipv6: netfiliter: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:12 -08:00
nf_conntrack_l3proto_ipv6.c netfilter: add more values to enum ip_conntrack_info 2011-06-06 01:35:10 +02:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: fix ct refcount leak in l4proto->error() 2011-06-06 01:37:02 +02:00
nf_conntrack_reasm.c netfilter: add a missing include in nf_conntrack_reasm.c 2011-01-20 21:00:38 +01:00
nf_defrag_ipv6_hooks.c Fix common misspellings 2011-03-31 11:26:23 -03:00