[24/26] netfilter: bridge: Fix non-untagged fragment packet

Message ID	20190625001233.22057-25-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 2C2B44265A2F; Tue, 25 Jun 2019 02:12:53 +0200 (CEST) From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 24/26] netfilter: bridge: Fix non-untagged fragment packet Date: Tue, 25 Jun 2019 02:12:31 +0200 Message-Id: <20190625001233.22057-25-pablo@netfilter.org> In-Reply-To: <20190625001233.22057-1-pablo@netfilter.org> References: <20190625001233.22057-1-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[01/26] netfilter: ipv6: Fix undefined symbol nf_ct_frag6_gather \| expand [01/26] netfilter: ipv6: Fix undefined symbol nf_ct_frag6_gather [02/26] netfilter: ipset: remove useless memset() calls [03/26] netfilter: ipset: merge uadd and udel functions [04/26] netfilter: ipset: fix a missing check of nla_parse [05/26] netfilter: ipset: Fix the last missing check of nla_parse_deprecated() [06/26] netfilter: ipset: Fix error path in set_target_v3_checkentry() [07/26] ipset: Fix memory accounting for hash types on resize [08/26] Update my email address [09/26] netfilter: nft_ct: add ct expectations support [10/26] netfilter: conntrack: small conntrack lookup optimization [11/26] netfilter: xt_owner: bail out with EINVAL in case of unsupported flags [12/26] netfilter: bridge: port sysctls to use brnf_net [13/26] netfilter: bridge: namespace bridge netfilter sysctls [14/26] netfilter: synproxy: add common uapi for SYNPROXY infrastructure [15/26] netfilter: synproxy: remove module dependency on IPv6 SYNPROXY [16/26] netfilter: synproxy: extract SYNPROXY infrastructure from {ipt, ip6t}_SYNPROXY [17/26] netfilter: synproxy: ensure zero is returned on non-error return path [18/26] netfilter: nft_ct: fix null pointer in ct expectations support [19/26] netfilter: nf_tables: enable set expiration time for set elements [20/26] netfilter: synproxy: fix building syncookie calls [21/26] netfilter: synproxy: use nf_cookie_v6_check() from core [22/26] netfilter: bridge: prevent UAF in brnf_exit_net() [23/26] netfilter: fix nf_conntrack_bridge/ipv6 link error [24/26] netfilter: bridge: Fix non-untagged fragment packet [25/26] netfilter: synproxy: fix manual bump of the reference counter [26/26] netfilter: nf_tables: add support for matching IPv4 options

Message ID

20190625001233.22057-25-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 24/26] netfilter: bridge: Fix non-untagged fragment packet
Date: Tue, 25 Jun 2019 02:12:31 +0200
Message-Id: <20190625001233.22057-25-pablo@netfilter.org>
In-Reply-To: <20190625001233.22057-1-pablo@netfilter.org>
References: <20190625001233.22057-1-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[01/26] netfilter: ipv6: Fix undefined symbol nf_ct_frag6_gather | expand

Commit Message

Pablo Neira Ayuso June 25, 2019, 12:12 a.m. UTC

From: wenxu <wenxu@ucloud.cn>

ip netns exec ns1 ip a a dev eth0 10.0.0.7/24
ip netns exec ns2 ip link a link eth0 name vlan type vlan id 200
ip netns exec ns2 ip a a dev vlan 10.0.0.8/24

ip l add dev br0 type bridge vlan_filtering 1
brctl addif br0 veth1
brctl addif br0 veth2

bridge vlan add dev veth1 vid 200 pvid untagged
bridge vlan add dev veth2 vid 200

A two fragment packet sent from ns2 contains the vlan tag 200.  In the
bridge conntrack, this packet will defrag to one skb with fraglist.
When the packet is forwarded to ns1 through veth1, the first skb vlan
tag will be cleared by the "untagged" flags. But the vlan tag in the
second skb is still tagged, so the second fragment ends up with tag 200
to ns1. So if the first fragment packet doesn't contain the vlan tag,
all of the remain should not contain vlan tag.

Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/nf_conntrack_bridge.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index b675cd7c1a82..4f5444d2a526 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -331,6 +331,8 @@  static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
 	}
 	if (data->vlan_present)
 		__vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
+	else if (skb_vlan_tag_present(skb))
+		__vlan_hwaccel_clear_tag(skb);
 
 	skb_copy_to_linear_data_offset(skb, -ETH_HLEN, data->mac, ETH_HLEN);
 	skb_reset_mac_header(skb);

[24/26] netfilter: bridge: Fix non-untagged fragment packet

Commit Message

Patch