[linux] 01/01: Revert "netfilter: ensure number of counters is >0 in do_replace()"

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jul 2 09:23:43 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 8f7b310c6ec552b4d9b5b7ffc93b68cb5e1a0529
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Jul 2 11:10:02 2016 +0200

    Revert "netfilter: ensure number of counters is >0 in do_replace()"
    
    Fixes regression introduced in 3.16.7-ckt25-2+deb8u2. Setting rules with
    ebtables did not work any more.
    
    Thanks: Jacob Lundberg <jacob at collegenet.com>
    Closes: #828914
---
 debian/changelog                                   |  9 ++++
 ...ilter-ensure-number-of-counters-is-0-in-d.patch | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 63 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c2c66ef..394d8d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
+
+  * Revert "netfilter: ensure number of counters is >0 in do_replace()"
+    Fixes regression introduced in 3.16.7-ckt25-2+deb8u2. Setting rules with
+    ebtables did not work any more.
+    Thanks to Jacob Lundberg <jacob at collegenet.com> (Closes: #828914)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 02 Jul 2016 11:22:39 +0200
+
 linux (3.16.7-ckt25-2+deb8u2) jessie-security; urgency=high
 
   * Fix backport of "netfilter: x_tables: validate targets of jumps"
diff --git a/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch b/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
new file mode 100644
index 0000000..98ce9e7
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
@@ -0,0 +1,53 @@
+From: Bernhard Thaler <bernhard.thaler at wvnet.at>
+Date: Thu, 28 May 2015 10:26:18 +0200
+Subject: Revert "netfilter: ensure number of counters is >0 in do_replace()"
+Origin: https://git.kernel.org/linus/d26e2c9ffa385dd1b646f43c1397ba12af9ed431
+
+This partially reverts commit 1086bbe97a07 ("netfilter: ensure number of
+counters is >0 in do_replace()") in net/bridge/netfilter/ebtables.c.
+
+Setting rules with ebtables does not work any more with 1086bbe97a07 place.
+
+There is an error message and no rules set in the end.
+
+e.g.
+
+~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
+Unable to update the kernel. Two possible causes:
+1. Multiple ebtables programs were executing simultaneously. The ebtables
+   userspace tool doesn't by default support multiple ebtables programs
+running
+
+Reverting the ebtables part of 1086bbe97a07 makes this work again.
+
+Signed-off-by: Bernhard Thaler <bernhard.thaler at wvnet.at>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/bridge/netfilter/ebtables.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 24c7c96..91180a7 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1117,8 +1117,6 @@ static int do_replace(struct net *net, const void __user *user,
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
+-	if (tmp.num_counters == 0)
+-		return -EINVAL;
+ 
+ 	tmp.name[sizeof(tmp.name) - 1] = 0;
+ 
+@@ -2161,8 +2159,6 @@ static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
+-	if (tmp.num_counters == 0)
+-		return -EINVAL;
+ 
+ 	memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
+ 
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 2be4b88..9740c31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -723,3 +723,4 @@ bugfix/all/posix_acl-Add-set_posix_acl.patch
 bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
 debian/migrate-fix-abi-change-in-3.16.36.patch
 bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
+bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list