From patchwork Sat Dec 28 22:03:04 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 305607
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 55E9E2C00BE
	for <incoming@patchwork.ozlabs.org>;
	Sun, 29 Dec 2013 09:03:33 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751525Ab3L1WDa (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 28 Dec 2013 17:03:30 -0500
Received: from mail.us.es ([193.147.175.20]:43866 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751448Ab3L1WD1 (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Sat, 28 Dec 2013 17:03:27 -0500
Received: (qmail 20095 invoked from network); 28 Dec 2013 23:03:25 +0100
Received: from unknown (HELO us.es) (192.168.2.12)
	by us.es with SMTP; 28 Dec 2013 23:03:25 +0100
Received: (qmail 6686 invoked by uid 507); 28 Dec 2013 22:03:25 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus2 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.98/18298. spamassassin: 3.3.2.  
	Clear:RC:1(127.0.0.1):SA:0(-99.8/7.5):.
	Processed in 1.815102 secs); 28 Dec 2013 22:03:25 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus2
X-Spam-Level: 
X-Spam-Status: No, score=-99.8 required=7.5 tests=BAYES_50,RCVD_IN_PBL,
	RCVD_IN_RP_RNBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, SMTPAUTH_US,
	USER_IN_WHITELIST autolearn=disabled version=3.3.2
X-Spam-ASN: AS12715 95.20.0.0/16
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus2) (127.0.0.1)
	by us.es with SMTP; 28 Dec 2013 22:03:23 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus2 (F-Secure/fsigk_smtp/412/antivirus2);
	Sat, 28 Dec 2013 23:03:23 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus2)
Received: (qmail 17138 invoked from network); 28 Dec 2013 23:03:23 +0100
Received: from 108.60.20.95.dynamic.jazztel.es (HELO localhost.localdomain)
	(pneira@us.es@95.20.60.108)
	by mail.us.es with SMTP; 28 Dec 2013 23:03:23 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 5/8] ipvs: correct usage/allocation of seqadj ext in ipvs
Date: Sat, 28 Dec 2013 23:03:04 +0100
Message-Id: <1388268187-11569-6-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1388268187-11569-1-git-send-email-pablo@netfilter.org>
References: <1388268187-11569-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Jesper Dangaard Brouer <brouer@redhat.com>

The IPVS FTP helper ip_vs_ftp could trigger an OOPS in nf_ct_seqadj_set,
after commit 41d73ec053d2 (netfilter: nf_conntrack: make sequence number
adjustments usuable without NAT).

This is because, the seqadj ext is now allocated dynamically, and the
IPVS code didn't handle this situation.  Fix this in the IPVS nfct
code by invoking the alloc function nfct_seqadj_ext_add().

Fixes: 41d73ec053d2 (netfilter: nf_conntrack: make sequence number adjustments usuable without NAT)
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_nfct.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd..5a355a4 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
 #include <net/ip_vs.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
 	if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
 		return;
 
+	/* Applications may adjust TCP seqs */
+	if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+	    !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+		return;
+
 	/*
 	 * The connection is not yet in the hashtable, so we update it.
 	 * CIP->VIP will remain the same, so leave the tuple in