> -----Original Message----- > From: Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > Sent: Friday, April 14, 2017 5:45 AM > To: gfree.wind@xxxxxxxxxxx > Cc: netfilter-devel@xxxxxxxxxxxxxxx; Gao Feng <fgao@xxxxxxxxxx> > Subject: Re: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access > for TCP header > > On Thu, Apr 13, 2017 at 11:42:49PM +0200, Pablo Neira Ayuso wrote: > > On Thu, Apr 13, 2017 at 11:37:05PM +0200, Pablo Neira Ayuso wrote: > > > On Mon, Apr 10, 2017 at 06:36:03PM +0800, gfree.wind@xxxxxxxxxxx > wrote: > > > > From: Gao Feng <fgao@xxxxxxxxxx> > > > > > > > > The current call path of nf_ct_tcp_seqadj_set is the following. > > > > > > > > nfqnl_recv_verdict->ctnetlink_glue_hook->ctnetlink_glue_seqadj > > > > ->nf_ct_tcp_seqadj_set. > > > > > > > > It couldn't make sure the TCP header is in the linear data part. > > > > So use the skb_header_pointer instead of the current codes. > > > > > > > > BTW, the nf_ct_tcp_seqadj_set is one external function of > > > > netfilter which works in the network layer, it should not assume > > > > the transport header is in the linear data. > > > > > > Applied. > > > > > > I wish you fix your mail client setup, it is a mess. I always have > > > to figure out which patch is correct in the large bunch. You have > > > to be more careful. Sorry, because I could not login the original gmail account sometimes. So I have to change the email account, and select one which could support text email well. I find that his conversation is mess caused by different account of email client. And I tried to correct it with resending the patches. > > > > Wait, I'm dropping this. > > > > Caller already guarantee that this area has been skb_make_writable via > > payload mangle, right? > > > > Please, have a closer look. I find it is ok with your tip. I only traced the call path " nfnl_ct_hook->ctnetlink_glue_seqadj->nf_ct_tcp_seqadj_set " before. Best Regards Feng > > BTW, please stop sending me patches until I review what I have in patchwork > from you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
