On Thursday 2015-07-02 13:30, Pablo Neira Ayuso wrote:
>>
>> Unlike ip and ip6tables, arp tables were never converted to use the percpu
>> jump stack.
>>
>> net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++---------
>> - /* Save old back ptr in next entry */
>> - struct arpt_entry *next = arpt_next_entry(e);
>> - next->comefrom = (void *)back - table_base;
>>
>> - /* set back pointer to next entry */
>> - back = next;
>> + if (WARN_ON_ONCE(stackidx >= private->stacksize)) {
>> + verdict = NF_DROP;
>> + break;
>> + }
>
>I can see you're getting this in sync with iptables, but I wonder
>about this defensive check to make sure we don't go over the allocated
>jumpstack area. This was added in f3c5c1bfd43.
>
>If we remove it and things are broken, then this will crash with a
>general protection fault when accessing memory out of the jumpstack
>boundary.
To the best of my knowledge, arp_tables does not offer any target
that can re-enter (such as REJECT, TEE, SYNPROXY do in IPv6/IPv4), so
we would never have a situation with stackidx >= stacksize anyway.
>Eric Dumazet indicated during the NFWS that it would be a good idea
>to make this jumpstack fixed length as in nftables, so we can place
>it in the stack and get rid of this percpu jumpstack that was
>introduced to cope with reentrancy (only TEE needs this).
fixed *and reduced* (you don't want to place a 64-chain list
onto the stack), and the reduction is what will be in conflict
with rulesets.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
