linux/net/bridge
Florian Westphal 8626c56c82 bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict
Zefir Kurtisi reported kernel panic with an openwrt specific patch.
However, it turns out that mainline has a similar bug waiting to happen.

Once NF_HOOK() returns the skb is in undefined state and must not be
used.   Moreover, the okfn must consume the skb to support async
processing (NF_QUEUE).

Current okfn in this spot doesn't consume it and caller assumes that
NF_HOOK return value tells us if skb was freed or not, but thats wrong.

It "works" because no in-tree user registers a NFPROTO_BRIDGE hook at
LOCAL_IN that returns STOLEN or NF_QUEUE verdicts.

Once we add NF_QUEUE support for nftables bridge this will break --
NF_QUEUE holds the skb for async processing, caller will erronoulsy
return RX_HANDLER_PASS and on reinject netfilter will access free'd skb.

Fix this by pushing skb up the stack in the okfn instead.

NB: It also seems dubious to use LOCAL_IN while bypassing PRE_ROUTING
completely in this case but this is how its been forever so it seems
preferable to not change this.

Cc: Felix Fietkau <nbd@openwrt.org>
Cc: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-03-14 15:46:41 -04:00
..
netfilter ipv4: Namespaceify ip_default_ttl sysctl knob 2016-02-16 20:42:54 -05:00
Kconfig bridge: Add vlan filtering infrastructure 2013-02-13 19:41:46 -05:00
Makefile netfilter: bridge: split ipv6 code into separated file 2015-06-18 21:14:21 +02:00
br.c switchdev: Require RTNL mutex to be held when sending FDB notifications 2016-01-28 16:21:31 -08:00
br_device.c bridge: fix lockdep addr_list_lock false positive splat 2016-01-15 15:40:45 -05:00
br_fdb.c net: ndo_fdb_dump should report -EMSGSIZE to rtnl_fdb_dump. 2016-02-26 15:04:02 -05:00
br_forward.c net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
br_if.c bridge: notify enslaved devices of headroom changes 2016-03-01 15:54:30 -05:00
br_input.c bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict 2016-03-14 15:46:41 -04:00
br_ioctl.c bridge: push bridge setting ageing_time down to switchdev 2015-10-12 05:20:20 -07:00
br_mdb.c bridge: mcast: add support for more router port information dumping 2016-03-01 16:55:07 -05:00
br_multicast.c bridge: mcast: add support for temporary port router 2016-03-01 16:55:07 -05:00
br_netfilter_hooks.c netfilter: bridge: register hooks only when bridge interface is added 2016-03-02 20:05:25 +01:00
br_netfilter_ipv6.c bridge: Pass net into br_validate_ipv4 and br_validate_ipv6 2015-09-29 20:21:32 +02:00
br_netlink.c net: bridge: log port STP state on change 2016-02-18 14:20:08 -05:00
br_nf_core.c net: Remove protocol from struct dst_ops 2015-03-09 16:06:10 -04:00
br_private.h net: bridge: log port STP state on change 2016-02-18 14:20:08 -05:00
br_private_stp.h net: 8021q/bluetooth/bridge/can/ceph: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
br_stp.c bridge: allow zero ageing time 2016-03-11 14:58:58 -05:00
br_stp_bpdu.c netfilter: Pass net into okfn 2015-09-17 17:18:37 -07:00
br_stp_if.c net: bridge: log port STP state on change 2016-02-18 14:20:08 -05:00
br_stp_timer.c net: bridge: log port STP state on change 2016-02-18 14:20:08 -05:00
br_sysfs_br.c bridge: use kobj_to_dev instead of to_dev 2015-12-23 22:26:48 -05:00
br_sysfs_if.c bridge: vlan: flush the dynamically learned entries on port vlan delete 2015-06-24 05:40:55 -07:00
br_vlan.c bridge: switchdev: Offload VLAN flags to hardware bridge 2016-02-18 11:18:11 -05:00