Fix err check for nf_conntrack_confirm
Bug #1934819 reported by
Bodong Wang
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Bodong Wang |
Bug Description
* Explain the bug(s)
Conntrack confirm operation wasn't checked, this could result in accepting packet which should be dropped.
* brief explanation of fixes
Match behavior of ovs and netfilter. Drop the packets which are not accepted.
* How to test
First observe packets accepted with status of NF_DROP without the fix.
Then observe packets are correctly dropped with the patch.
* What it could break.
Nothing breaks, but fixing security hole.
Changed in linux-bluefield (Ubuntu): | |
assignee: | nobody → Bodong Wang (bodong-wang) |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu Focal): | |
assignee: | nobody → Bodong Wang (bodong-wang) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu): | |
assignee: | Bodong Wang (bodong-wang) → nobody |
status: | In Progress → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
To post a comment you must log in.
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!