From patchwork Sun Jan 6 03:28:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: kchen X-Patchwork-Id: 1021032 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=synology.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=synology.com header.i=@synology.com header.b="aRG3hRVO"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43XPLS0XkTz9sDB for ; Sun, 6 Jan 2019 14:35:44 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726380AbfAFDf3 (ORCPT ); Sat, 5 Jan 2019 22:35:29 -0500 Received: from mail.synology.com ([211.23.38.101]:33937 "EHLO synology.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726070AbfAFDf3 (ORCPT ); Sat, 5 Jan 2019 22:35:29 -0500 X-Greylist: delayed 356 seconds by postgrey-1.27 at vger.kernel.org; Sat, 05 Jan 2019 22:35:28 EST From: kchen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=synology.com; s=123; t=1546745366; bh=OqURPaXDX3NaCD71T1pSksMGmTtYDeCPRxX2W8fKqJI=; h=From:To:Cc:Subject:Date; b=aRG3hRVOAZXTJSQMU8zeX9lZFbXI1ZoZcVlhGEvNCx2Rdsg0D3LHIoTDCazIwRFZL jdyccR3nMQJIgp85xQMxqvUahHRV6JIAahng5LDU6JdL8YMMPN2lAZInQwEDt1W9fZ w5D0eII+qiKUsGL7N5xIJVN77xwhn6zx2a7LkLCE= To: nikolay@cumulusnetworks.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, JianJhen Chen Subject: [PATCH 1/1] net: bridge: fix a bug on using a neighbour cache entry without checking its state Date: Sun, 6 Jan 2019 11:28:13 +0800 Message-Id: <1546745293-5678-1-git-send-email-kchen@synology.com> X-Synology-MCP-Status: no X-Synology-Spam-Flag: no X-Synology-Spam-Status: score=0, required 6, WHITELIST_FROM_ADDRESS 0 X-Synology-Virus-Status: no Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: JianJhen Chen When handling DNAT'ed packets on a bridge device, the neighbour cache entry from lookup was used without checking its state. It means that a cache entry in the NUD_STALE state will be used directly instead of entering the NUD_DELAY state to confirm the reachability of the neighbor. This problem becomes worse after commit 2724680bceee ("neigh: Keep neighbour cache entries if number of them is small enough."), since all neighbour cache entries in the NUD_STALE state will be kept in the neighbour table as long as the number of cache entries does not exceed the value specified in gc_thresh1. This commit validates the state of a neighbour cache entry before using the entry. Signed-off-by: JianJhen Chen Reviewed-by: JinLin Chen --- net/bridge/br_netfilter_hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index b1b5e85..ed683e5 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -278,7 +278,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); int ret; - if (neigh->hh.hh_len) { + if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) { neigh_hh_bridge(&neigh->hh, skb); skb->dev = nf_bridge->physindev; ret = br_handle_frame_finish(net, sk, skb);