diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2012-04-03 16:02:01 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-04-10 06:50:49 -0400 |
commit | 07153c6ec074257ade76a461429b567cff2b3a1e (patch) | |
tree | ca918b6b18835b650ad4a9fed8bc08b1e6c6d273 | |
parent | 8430eac2f6a3c2adce22d490e2ab8bb50d59077a (diff) |
netfilter: nf_ct_ipv4: packets with wrong ihl are invalid
It was reported that the Linux kernel sometimes logs:
klogd: [2629147.402413] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 447!
klogd: [1072212.887368] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 392
ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in
nf_conntrack_proto_tcp.c should catch malformed packets, so the errors
at the indicated lines - TCP options parsing - should not happen.
However, tcp_error() relies on the "dataoff" offset to the TCP header,
calculated by ipv4_get_l4proto(). But ipv4_get_l4proto() does not check
bogus ihl values in IPv4 packets, which then can slip through tcp_error()
and get caught at the TCP options parsing routines.
The patch fixes ipv4_get_l4proto() by invalidating packets with bogus
ihl value.
The patch closes netfilter bugzilla id 771.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 750b06afd20..cf73cc70ed2 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -84,6 +84,14 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, | |||
84 | *dataoff = nhoff + (iph->ihl << 2); | 84 | *dataoff = nhoff + (iph->ihl << 2); |
85 | *protonum = iph->protocol; | 85 | *protonum = iph->protocol; |
86 | 86 | ||
87 | /* Check bogus IP headers */ | ||
88 | if (*dataoff > skb->len) { | ||
89 | pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: " | ||
90 | "nhoff %u, ihl %u, skblen %u\n", | ||
91 | nhoff, iph->ihl << 2, skb->len); | ||
92 | return -NF_ACCEPT; | ||
93 | } | ||
94 | |||
87 | return NF_ACCEPT; | 95 | return NF_ACCEPT; |
88 | } | 96 | } |
89 | 97 | ||