netfilter: ipv6: nf_defrag: accept duplicate fragments again
[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.
To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.
Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Guillaume Nault
Greg Kroah-Hartman
parent
54e8cf41b2
commit
ac0024baf0
1 changed files with 7 additions and 3 deletions
|
|
@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
|
|||
|
||||
prev = fq->q.fragments_tail;
|
||||
err = inet_frag_queue_insert(&fq->q, skb, offset, end);
|
||||
if (err)
|
||||
if (err) {
|
||||
if (err == IPFRAG_DUP) {
|
||||
/* No error for duplicates, pretend they got queued. */
|
||||
kfree_skb(skb);
|
||||
return -EINPROGRESS;
|
||||
}
|
||||
goto insert_error;
|
||||
}
|
||||
|
||||
if (dev)
|
||||
fq->iif = dev->ifindex;
|
||||
|
|
@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
|
|||
return -EINPROGRESS;
|
||||
|
||||
insert_error:
|
||||
if (err == IPFRAG_DUP)
|
||||
goto err;
|
||||
inet_frag_kill(&fq->q);
|
||||
err:
|
||||
skb_dst_drop(skb);
|
||||
|
|
|
|||
Loading…
Reference in a new issue