[Devel] [PATCH RHEL7 COMMIT] vzprivnet: Incorrect return value in vzprivnet_hook()
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Mar 24 08:53:43 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 0e06b9e1b65b72e287176d8478a79572f1fc379f
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Mar 24 19:53:43 2016 +0400
vzprivnet: Incorrect return value in vzprivnet_hook()
Port diff-vzprivnet-incorrect-return-value-in-vzprivnet_hook
incorrect return value in vzprivnet_hook()
vzprivnet_hook() can return values taken vzprivnet_classify() without
proper
translation.
As result VZPRIV_MARK_DROP taken from vzprivnet_classify()
will be incorrectly interpreted as NF_STOLEN in nf_hook_slow()
lead to cause skb leak and probably break vzprivnet function.
https://jira.sw.ru/browse/PSBM-28845
Signed-off-by: Vasily Averin <vvs at parallels.com>
Acked-by: Andrew Vagin <avagin at parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/ipv4/netfilter/ip_vzprivnet.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/ip_vzprivnet.c b/net/ipv4/netfilter/ip_vzprivnet.c
index 2045951..efe0d95 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -253,10 +253,12 @@ static unsigned int vzprivnet_hook(struct sk_buff *skb, int can_be_bridge)
dst = skb_dst(skb);
if (dst != NULL) {
if (can_be_bridge && dst->output != ip_output) { /* bridge */
- if (!vzpn_handle_bridged)
+ if (vzpn_handle_bridged) {
+ pmark = vzprivnet_classify(skb, 1);
+ return pmark == VZPRIV_MARK_ACCEPT ?
+ NF_ACCEPT : NF_DROP;
+ } else
return NF_ACCEPT;
- else
- return vzprivnet_classify(skb, 1);
}
pmark = dst_pmark_get(dst);
More information about the Devel
mailing list