iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/netfilter
History
Pablo Neira Ayuso 71df14b0ce netfilter: nf_tables: missing sanitization in data from userspace 
Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
is still possible to handcraft a netlink message using this incorrect
data type.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-05-15 12:51:40 +02:00
..
ipset
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
ipvs
ipvs: SNAT packet replies only for NATed connections
2017-05-08 11:38:35 +02:00
core.c
netfilter: nf_queue: only call synchronize_net twice if nf_queue is active
2017-05-01 11:19:12 +02:00
Kconfig
netfilter: nft_exthdr: add TCP option matching
2017-02-08 14:17:09 +01:00
Makefile
netfilter: nf_tables: add bitmap set type
2017-02-08 14:16:21 +01:00
nf_conntrack_acct.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_amanda.c
netfilter: helper: add build-time asserts for helper data size
2017-04-19 17:55:16 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c
netfilter: conntrack: Force inlining of build check to prevent build failure
2017-05-03 09:51:26 -04:00
nf_conntrack_ecache.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_expect.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nf_conntrack_extend.c
netfilter: nf_ct_ext: invoke destroy even when ext is not attached
2017-05-01 11:48:49 +02:00
nf_conntrack_ftp.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_h323_asn1.c
netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931
2016-07-11 12:32:45 +02:00
nf_conntrack_h323_main.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c
netfilter: nfnl_cthelper: reject del request if helper obj is in use
2017-05-15 12:42:29 +02:00
nf_conntrack_irc.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_l3proto_generic.c
netfilter: Convert print_tuple functions to return void
2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_netbios_ns.c
netfilter: helper: add build-time asserts for helper data size
2017-04-19 17:55:16 +02:00
nf_conntrack_netlink.c
netfilter: synproxy: fix conntrackd interaction
2017-05-15 12:51:39 +02:00
nf_conntrack_pptp.c
netfilter: pptp: attach nat extension when needed
2017-04-26 09:30:22 +02:00
nf_conntrack_proto_dccp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nf_conntrack_proto_generic.c
netfilter: remove ip_conntrack* sysctl compat code
2016-08-13 13:27:13 +02:00
nf_conntrack_proto_gre.c
netns: make struct pernet_operations::id unsigned int
2016-11-18 10:59:15 -05:00
nf_conntrack_proto_sctp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nf_conntrack_proto_tcp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nf_conntrack_proto_udp.c
netfilter: conntrack: no need to pass ctinfo to error handler
2017-02-02 14:31:51 +01:00
nf_conntrack_proto.c
netfilter: nf_conntrack: remove double assignment
2017-04-14 01:54:23 +02:00
nf_conntrack_sane.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_seqadj.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_sip.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c
netfilter: Use seq_puts()/seq_putc() where possible
2017-04-07 17:29:21 +02:00
nf_conntrack_tftp.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_timeout.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_timestamp.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_dup_netdev.c
netfilter: add and use nf_fwd_netdev_egress
2016-12-06 21:48:22 +01:00
nf_internals.h
netfilter: nf_queue: only call synchronize_net twice if nf_queue is active
2017-05-01 11:19:12 +02:00
nf_log_common.c
netfilter: nf_log: do not assume ethernet header in netdev family
2016-12-04 20:45:33 +01:00
nf_log_netdev.c
netfilter: nf_log: do not assume ethernet header in netdev family
2016-12-04 20:45:33 +01:00
nf_log.c
netfilter: nf_log: don't call synchronize_rcu in nf_log_unset
2017-05-01 11:19:07 +02:00
nf_nat_amanda.c
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
2017-04-06 22:01:38 +02:00
nf_nat_core.c
netfilter: don't setup nat info for confirmed ct
2017-05-15 12:42:28 +02:00
nf_nat_ftp.c
nf_nat_helper.c
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
2017-04-06 22:01:38 +02:00
nf_nat_irc.c
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
2017-04-06 22:01:38 +02:00
nf_nat_proto_common.c
netfilter: use IS_ENABLED() macro
2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c
netfilter: built-in NAT support for DCCP
2016-12-04 20:45:30 +01:00
nf_nat_proto_sctp.c
netfilter: nf_nat_sctp: fix ICMP packet to be dropped accidently
2017-03-08 18:04:06 +01:00
nf_nat_proto_tcp.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c
netfilter: nat: merge udp and udplite helpers
2017-01-03 14:33:25 +01:00
nf_nat_proto_unknown.c
nf_nat_redirect.c
netfilter: make it safer during the inet6_dev->addr_list traversal
2017-04-08 23:52:16 +02:00
nf_nat_sip.c
netfilter: replace strnicmp with strncasecmp
2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c
netfilter: nf_queue: only call synchronize_net twice if nf_queue is active
2017-05-01 11:19:12 +02:00
nf_sockopt.c
netfilter: don't use mutex_lock_interruptible()
2014-08-08 16:47:23 +02:00
nf_synproxy_core.c
netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14
2017-04-19 17:55:17 +02:00
nf_tables_api.c
netfilter: nf_tables: can't assume lock is acquired when dumping set elems
2017-05-15 12:51:39 +02:00
nf_tables_core.c
netfilter: nf_tables: simplify the basic expressions' init routine
2016-11-09 23:42:23 +01:00
nf_tables_inet.c
netfilter: Add the missed return value check of nft_register_chain_type
2016-09-12 19:54:45 +02:00
nf_tables_netdev.c
netfilter: nf_tables: add nft_is_base_chain() helper
2017-04-06 18:32:04 +02:00
nf_tables_trace.c
netfilter: Add nfnl_msg_type() helper function
2017-04-07 16:31:36 +02:00
nfnetlink_acct.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nfnetlink_cthelper.c
netfilter: nfnl_cthelper: reject del request if helper obj is in use
2017-05-15 12:42:29 +02:00
nfnetlink_cttimeout.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nfnetlink_log.c
netfilter: nf_log: don't call synchronize_rcu in nf_log_unset
2017-05-01 11:19:07 +02:00
nfnetlink_queue.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nfnetlink.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nft_bitwise.c
netfilter: nf_tables: missing sanitization in data from userspace
2017-05-15 12:51:40 +02:00
nft_byteorder.c
netfilter: nf_tables: simplify the basic expressions' init routine
2016-11-09 23:42:23 +01:00
nft_cmp.c
netfilter: nf_tables: missing sanitization in data from userspace
2017-05-15 12:51:40 +02:00
nft_compat.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nft_counter.c
netfilter: provide nft_ctx in object init function
2017-03-13 13:42:00 +01:00
nft_ct.c
netfilter: introduce nf_conntrack_helper_put helper function
2017-05-15 12:42:29 +02:00
nft_dup_netdev.c
netfilter: nf_tables: add packet duplication to the netdev family
2016-01-03 21:04:23 +01:00
nft_dynset.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2017-05-03 10:11:26 -04:00
nft_exthdr.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_fib_inet.c
netfilter: nf_tables: use hook state from xt_action_param structure
2016-11-03 11:52:34 +01:00
nft_fib.c
netfilter: nft_fib: Support existence check
2017-03-13 13:45:36 +01:00
nft_fwd_netdev.c
netfilter: add and use nf_fwd_netdev_egress
2016-12-06 21:48:22 +01:00
nft_hash.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nft_immediate.c
netfilter: nf_tables: simplify the basic expressions' init routine
2016-11-09 23:42:23 +01:00
nft_limit.c
netfilter: limit: use per-rule spinlock to improve the scalability
2017-03-13 19:30:31 +01:00
nft_log.c
netfilter: nft_log: restrict the log prefix length to 127
2017-01-24 21:46:29 +01:00
nft_lookup.c
netfilter: nf_tables: add nft_set_lookup()
2017-03-06 18:23:23 +01:00
nft_masq.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_meta.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_nat.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-03-23 16:41:27 -07:00
nft_numgen.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_objref.c
netfilter: nf_tables: add nft_set_lookup()
2017-03-06 18:23:23 +01:00
nft_payload.c
netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set
2016-12-14 23:39:11 +01:00
nft_queue.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_quota.c
netfilter: provide nft_ctx in object init function
2017-03-13 13:42:00 +01:00
nft_range.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-12-03 12:29:53 -05:00
nft_redir.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_reject_inet.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_reject.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_rt.c
netfilter: nf_tables: use hook state from xt_action_param structure
2016-11-03 11:52:34 +01:00
nft_set_bitmap.c
netfilter: nft_set_bitmap: free dummy elements when destroy the set
2017-04-24 20:05:25 +02:00
nft_set_hash.c
netfilter: nf_tables: can't assume lock is acquired when dumping set elems
2017-05-15 12:51:39 +02:00
nft_set_rbtree.c
netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability
2017-03-13 19:30:43 +01:00
x_tables.c
netfilter: xtables: zero padding in data_to_user
2017-05-15 12:51:38 +02:00
xt_addrtype.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_AUDIT.c
audit: normalize NETFILTER_PKT
2017-05-02 10:16:04 -04:00
xt_bpf.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_cgroup.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
netfilter: remove nf_ct_is_untracked
2017-04-15 11:51:33 +02:00
xt_comment.c
xt_connbytes.c
netfilter: add and use nf_ct_netns_get/put
2016-12-04 21:16:50 +01:00
xt_connlabel.c
netfilter: remove nf_ct_is_untracked
2017-04-15 11:51:33 +02:00
xt_connlimit.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_connmark.c
netfilter: remove nf_ct_is_untracked
2017-04-15 11:51:33 +02:00
xt_CONNSECMARK.c
netfilter: add and use nf_ct_netns_get/put
2016-12-04 21:16:50 +01:00
xt_conntrack.c
netfilter: kill the fake untracked conntrack objects
2017-04-15 11:47:57 +02:00
xt_cpu.c
xt_CT.c
netfilter: introduce nf_conntrack_helper_put helper function
2017-05-15 12:42:29 +02:00
xt_dccp.c
xt_devgroup.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_dscp.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_DSCP.c
netfilter: fix various sparse warnings
2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c
netfilter: Remove unnecessary cast on void pointer
2017-04-07 17:29:17 +02:00
xt_helper.c
netfilter: add and use nf_ct_netns_get/put
2016-12-04 21:16:50 +01:00
xt_hl.c
xt_HL.c
xt_HMARK.c
netfilter: remove nf_ct_is_untracked
2017-04-15 11:51:33 +02:00
xt_IDLETIMER.c
netfilter: IDLETIMER: fix race condition when destroy the target
2016-04-29 14:28:48 +02:00
xt_ipcomp.c
netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name
2016-10-17 17:38:19 +02:00
xt_iprange.c
xt_ipvs.c
netfilter: remove nf_ct_is_untracked
2017-04-15 11:51:33 +02:00
xt_l2tp.c
netfilter: introduce l2tp match extension
2014-01-09 21:36:39 +01:00
xt_LED.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c
netfilter: limit: use per-rule spinlock to improve the scalability
2017-03-13 19:30:31 +01:00
xt_LOG.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_mac.c
xt_mark.c
netfilter: xt_MARK: Add ARP support
2015-05-14 13:00:27 +02:00
xt_multiport.c
netfilter: xt_multiport: Fix wrong unmatch result with multiple ports
2016-12-06 21:48:20 +01:00
xt_nat.c
netfilter: nat: add dependencies on conntrack module
2016-12-04 21:16:51 +01:00
xt_NETMAP.c
netfilter: nat: add dependencies on conntrack module
2016-12-04 21:16:51 +01:00
xt_nfacct.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_NFLOG.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_NFQUEUE.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_osf.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_owner.c
sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h>
2017-03-02 08:42:31 +01:00
xt_physdev.c
netfilter: physdev: add missed blank
2016-08-12 00:42:14 +02:00
xt_pkttype.c
netfilter: pkttype: unnecessary to check ipv6 multicast address
2017-01-18 20:32:43 +01:00
xt_policy.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_quota.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_rateest.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_RATEEST.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_realm.c
xt_recent.c
treewide: use kv[mz]alloc* rather than opencoded variants
2017-05-08 17:15:13 -07:00
xt_REDIRECT.c
netfilter: nat: add dependencies on conntrack module
2016-12-04 21:16:51 +01:00
xt_repldata.h
net: netfilter: LLVMLinux: vlais-netfilter
2014-06-07 11:44:39 -07:00
xt_sctp.c
sctp: rename WORD_TRUNC/ROUND macros
2016-09-22 03:13:26 -04:00
xt_SECMARK.c
xt_set.c
netfilter: ipset: Improve skbinfo get/init helpers
2016-11-10 13:28:42 +01:00
xt_socket.c
netfilter: xt_socket: Fix broken IPv6 handling
2017-04-24 20:06:29 +02:00
xt_state.c
netfilter: kill the fake untracked conntrack objects
2017-04-15 11:47:57 +02:00
xt_statistic.c
net: replace macros net_random and net_srandom with direct calls to prandom
2014-01-14 15:15:25 -08:00
xt_string.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_tcpmss.c
xt_TCPMSS.c
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
2017-04-08 22:24:19 +02:00
xt_TCPOPTSTRIP.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
xt_tcpudp.c
netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF
2016-07-03 10:55:07 +02:00
xt_TEE.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_time.c
ktime: Get rid of the union
2016-12-25 17:21:22 +01:00
xt_TPROXY.c
netfilter: make it safer during the inet6_dev->addr_list traversal
2017-04-08 23:52:16 +02:00
xt_TRACE.c
netfilter: xt_TRACE: add explicitly nf_logger_find_get call
2016-06-23 13:26:49 +02:00
xt_u32.c