diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2015-06-19 17:23:37 -0500 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-07-02 15:03:13 +0200 |
commit | f307170d6e591a48529425b1ed6ca835790995a9 (patch) | |
tree | a067197638084b8853d59ed6af1f0c5209f5ad9a /net | |
parent | 4da3064d1775810f10f7ddc1c34c3f1ff502a654 (diff) | |
download | lwn-f307170d6e591a48529425b1ed6ca835790995a9.tar.gz lwn-f307170d6e591a48529425b1ed6ca835790995a9.zip |
netfilter: nf_queue: Don't recompute the hook_list head
If someone sends packets from one of the netdevice ingress hooks to
the a userspace queue, and then userspace later accepts the packet,
the netfilter code can enter an infinite loop as the list head will
never be found.
Pass in the saved list_head to avoid this.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_queue.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index cd60d397fe05..8a8b2abc35ff 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c @@ -213,7 +213,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) if (verdict == NF_ACCEPT) { next_hook: - verdict = nf_iterate(&nf_hooks[entry->state.pf][entry->state.hook], + verdict = nf_iterate(entry->state.hook_list, skb, &entry->state, &elem); } |