diff options
author | 2019-06-06 18:04:00 +0200 | |
---|---|---|
committer | 2019-06-07 14:49:01 +0200 | |
commit | 8a3dca632538c550930ce8bafa8c906b130d35cf (patch) | |
tree | 03c6a9baaa651973f12ee993491eb295023ee42c /tools/perf/scripts/python/export-to-sqlite.py | |
parent | netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments (diff) | |
download | linux-dev-8a3dca632538c550930ce8bafa8c906b130d35cf.tar.xz linux-dev-8a3dca632538c550930ce8bafa8c906b130d35cf.zip |
netfilter: ipv6: nf_defrag: accept duplicate fragments again
When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.
To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.
Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions