| commit | 71c36cc2a9ef5622024b1ca84a000ecd76e5cc13 | |
| author | Pablo Neira Ayuso <pablo@netfilter.org> | |
| Thu, 6 Jan 2011 19:25:00 +0000 (6 11:25 -0800) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Wed, 23 Mar 2011 19:49:56 +0000 (23 12:49 -0700) | ||
| tree | e05b4f4609170dd77e9021a86eebb03110f893f0 | treesnapshot (tar.gz zip) |
| parent | 64bb48e4e88b52e05e36b8b0d033a17fa9102962 | commitdiff |
netfilter: fix export secctx error handling
commit cba85b532e4aabdb97f44c18987d45141fd93faa upstream.
In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.
That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.
In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.
This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.
This problem exists in Linux kernel >= 2.6.37.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit cba85b532e4aabdb97f44c18987d45141fd93faa upstream.
In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.
That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.
In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.
This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.
This problem exists in Linux kernel >= 2.6.37.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | diffblobblamehistory | |
| net/netfilter/nf_conntrack_netlink.c | diffblobblamehistory | |
| net/netfilter/nf_conntrack_standalone.c | diffblobblamehistory |