[NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink

Invalid states can cause out-of-bound memory accesses of the state table. Also don't insist on having a new state contained in the netlink message. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2008-04-14 05:15:52 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-04-14 05:15:52 -0400
commit: 5f7da4d26d421f3bdf10c3bbdb86ffc3a12a84f2 (patch)
tree: 67c6cbeaa4005d5410d2f9dd02b9802b6ddf8beb
parent: dd13b010368f85dfa59364ba87bfe8ae930b2832 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 62567959b66e..57831c75fa9f 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1129,11 +1129,13 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
        if (err < 0)
                return err;
-        if (!tb[CTA_PROTOINFO_TCP_STATE])
+        if (tb[CTA_PROTOINFO_TCP_STATE] &&
+            nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
                return -EINVAL;
        write_lock_bh(&tcp_lock);
-        ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
+        if (tb[CTA_PROTOINFO_TCP_STATE])
+                ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
        if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
                struct nf_ct_tcp_flags *attr =
author	Patrick McHardy <kaber@trash.net>	2008-04-14 05:15:52 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-04-14 05:15:52 -0400
commit	5f7da4d26d421f3bdf10c3bbdb86ffc3a12a84f2 (patch)
tree	67c6cbeaa4005d5410d2f9dd02b9802b6ddf8beb
parent	dd13b010368f85dfa59364ba87bfe8ae930b2832 (diff)