[NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case search for loops

[linux-2.6-omap-h63xx.git] / net / ipv6 / netfilter / ip6_tables.c
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c

index f63fb86d7c7b56732a108bcf1cfeae6b9f81472b..99502c5da4c45336cf2cd1b5ed2c71b3ea685744 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -413,6 +413,7 @@ mark_source_chains(struct xt_table_info *newinfo,
                 unsigned int pos = newinfo->hook_entry[hook];
                 struct ip6t_entry *e
                         = (struct ip6t_entry *)(entry0 + pos);
+               int visited = e->comefrom & (1 << hook);
  
                 if (!(valid_hooks & (1 << hook)))
                         continue;
@@ -433,13 +434,20 @@ mark_source_chains(struct xt_table_info *newinfo,
                                 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
  
                         /* Unconditional return/END. */
-                       if (e->target_offset == sizeof(struct ip6t_entry)
+                       if ((e->target_offset == sizeof(struct ip6t_entry)
                             && (strcmp(t->target.u.user.name,
                                        IP6T_STANDARD_TARGET) == 0)
                             && t->verdict < 0
-                           && unconditional(&e->ipv6)) {
+                           && unconditional(&e->ipv6)) || visited) {
                                 unsigned int oldpos, size;
  
+                               if (t->verdict < -NF_MAX_VERDICT - 1) {
+                                       duprintf("mark_source_chains: bad "
+                                               "negative verdict (%i)\n",
+                                                               t->verdict);
+                                       return 0;
+                               }
+
                                 /* Return: backtrack through the last
                                    big jump. */
                                 do {
@@ -477,6 +485,13 @@ mark_source_chains(struct xt_table_info *newinfo,
                                 if (strcmp(t->target.u.user.name,
                                            IP6T_STANDARD_TARGET) == 0
                                     && newpos >= 0) {
+                                       if (newpos > newinfo->size -
+                                               sizeof(struct ip6t_entry)) {
+                                               duprintf("mark_source_chains: "
+                                                       "bad verdict (%i)\n",
+                                                               newpos);
+                                               return 0;
+                                       }
                                         /* This a jump; chase it. */
                                         duprintf("Jump rule %u -> %u\n",
                                                  pos, newpos);
@@ -508,27 +523,6 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
         return 0;
  }
  
-static inline int
-standard_check(const struct ip6t_entry_target *t,
-              unsigned int max_offset)
-{
-       struct ip6t_standard_target *targ = (void *)t;
-
-       /* Check standard info. */
-       if (targ->verdict >= 0
-           && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
-               duprintf("ip6t_standard_check: bad verdict (%i)\n",
-                        targ->verdict);
-               return 0;
-       }
-       if (targ->verdict < -NF_MAX_VERDICT - 1) {
-               duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
-                        targ->verdict);
-               return 0;
-       }
-       return 1;
-}
-
  static inline int
  check_match(struct ip6t_entry_match *m,
             const char *name,
@@ -616,12 +610,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
         if (ret)
                 goto err;
  
-       if (t->u.kernel.target == &ip6t_standard_target) {
-               if (!standard_check(t, size)) {
-                       ret = -EINVAL;
-                       goto err;
-               }
-       } else if (t->u.kernel.target->checkentry
+       if (t->u.kernel.target->checkentry
                    && !t->u.kernel.target->checkentry(name, e, target, t->data,
                                                       e->comefrom)) {
                 duprintf("ip_tables: check failed for `%s'.\n",
@@ -758,17 +747,19 @@ translate_table(const char *name,
                 }
         }
  
+       if (!mark_source_chains(newinfo, valid_hooks, entry0))
+               return -ELOOP;
+
         /* Finally, each sanity check must pass */
         i = 0;
         ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
                                 check_entry, name, size, &i);
  
-       if (ret != 0)
-               goto cleanup;
-
-       ret = -ELOOP;
-       if (!mark_source_chains(newinfo, valid_hooks, entry0))
-               goto cleanup;
+       if (ret != 0) {
+               IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+                                  cleanup_entry, &i);
+               return ret;
+       }
  
         /* And one copy for every other CPU */
         for_each_possible_cpu(i) {
@@ -777,9 +768,6 @@ translate_table(const char *name,
         }
  
         return 0;
-cleanup:
-       IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
-       return ret;
  }
  
  /* Gets counters. */