diff mbox series

netfilter: fix nf_l4proto_log_invalid to log invalid packets

Message ID 20190417164944.1462-1-avagin@gmail.com
State Awaiting Upstream
Delegated to: David Miller
Headers show
Series netfilter: fix nf_l4proto_log_invalid to log invalid packets | expand

Commit Message

Andrei Vagin April 17, 2019, 4:49 p.m. UTC 
It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
always true. I believe we need to replace OR to AND.

Cc: Florian Westphal <fw@strlen.de>
Fixes: c4f3db1595827 ("netfilter: conntrack: add and use nf_l4proto_log_invalid")
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
 net/netfilter/nf_conntrack_proto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Florian Westphal April 17, 2019, 8:37 p.m. UTC | #1 
Andrei Vagin <avagin@gmail.com> wrote:
> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> index b9403a266a2e..37bb530d848f 100644
> --- a/net/netfilter/nf_conntrack_proto.c
> +++ b/net/netfilter/nf_conntrack_proto.c
> @@ -55,7 +55,7 @@ void nf_l4proto_log_invalid(const struct sk_buff *skb,
>  	struct va_format vaf;
>  	va_list args;
>  
> -	if (net->ct.sysctl_log_invalid != protonum ||
> +	if (net->ct.sysctl_log_invalid != protonum &&
>  	    net->ct.sysctl_log_invalid != IPPROTO_RAW)

Urgh, thanks for fixing this.

Acked-by: Florian Westphal <fw@strlen.de>
Pablo Neira Ayuso April 22, 2019, 8:38 a.m. UTC | #2 
On Wed, Apr 17, 2019 at 09:49:44AM -0700, Andrei Vagin wrote:
> It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
> OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
> always true. I believe we need to replace OR to AND.

Applied, thanks.
Dexuan-Linux Cui April 30, 2019, 6:38 a.m. UTC | #3 
On Mon, Apr 22, 2019 at 1:40 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Wed, Apr 17, 2019 at 09:49:44AM -0700, Andrei Vagin wrote:
> > It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
> > OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
> > always true. I believe we need to replace OR to AND.
>
> Applied, thanks.

I also happened to find this bug today.
I almost can not believe I'm the second guy to notice the issue -- the
bug has been there for 1 year and a half...

Anyway, I'm glad to see that Andrei fixed it!

-- Dexuan
diff mbox series

Patch

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index b9403a266a2e..37bb530d848f 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -55,7 +55,7 @@  void nf_l4proto_log_invalid(const struct sk_buff *skb,
 	struct va_format vaf;
 	va_list args;
 
-	if (net->ct.sysctl_log_invalid != protonum ||
+	if (net->ct.sysctl_log_invalid != protonum &&
 	    net->ct.sysctl_log_invalid != IPPROTO_RAW)
 		return;