releases/4.9.124/netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6613b6173dee098997229caf1f3b961c49da75e6 Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Tue, 17 Jul 2018 21:03:15 +0200
 Subject: netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

 From: Florian Westphal <fw@strlen.de>

 commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

 When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
 that has an un-initialized timeout value, i.e. such entry could be
 reaped at any time.

 Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
 an old state.

 Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
 Signed-off-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/netfilter/nf_conntrack_proto_dccp.c |    8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 --- a/net/netfilter/nf_conntrack_proto_dccp.c
 +++ b/net/netfilter/nf_conntrack_proto_dccp.c
 @@ -244,14 +244,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
  		 * We currently ignore Sync packets
  		 *
  		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 -			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 +			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  		},
  		[DCCP_PKT_SYNCACK] = {
  		/*
  		 * We currently ignore SyncAck packets
  		 *
  		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 -			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 +			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  		},
  	},
  	[CT_DCCP_ROLE_SERVER] = {
 @@ -372,14 +372,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
  		 * We currently ignore Sync packets
  		 *
  		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 -			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 +			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  		},
  		[DCCP_PKT_SYNCACK] = {
  		/*
  		 * We currently ignore SyncAck packets
  		 *
  		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
 -			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
 +			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
  		},
  	},
  };
	From 6613b6173dee098997229caf1f3b961c49da75e6 Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Tue, 17 Jul 2018 21:03:15 +0200
	Subject: netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

	From: Florian Westphal <fw@strlen.de>

	commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

	When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
	that has an un-initialized timeout value, i.e. such entry could be
	reaped at any time.

	Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
	an old state.

	Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/netfilter/nf_conntrack_proto_dccp.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	--- a/net/netfilter/nf_conntrack_proto_dccp.c
	+++ b/net/netfilter/nf_conntrack_proto_dccp.c
	@@ -244,14 +244,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
	* We currently ignore Sync packets
	*
	* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
	- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	+ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	},
	[DCCP_PKT_SYNCACK] = {
	/*
	* We currently ignore SyncAck packets
	*
	* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
	- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	+ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	},
	},
	[CT_DCCP_ROLE_SERVER] = {
	@@ -372,14 +372,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
	* We currently ignore Sync packets
	*
	* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
	- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	+ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	},
	[DCCP_PKT_SYNCACK] = {
	/*
	* We currently ignore SyncAck packets
	*
	* sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
	- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	+ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
	},
	},
	};