diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2005-11-14 18:22:11 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-11-14 18:22:11 -0500 |
commit | 56558208521729fa6b2a0f12df22e1569dee297a (patch) | |
tree | 0edad3244ac80e9cf00707ac4940e8c3a758cf75 | |
parent | c0400c4f5a08cfd1c657f7f616fcf1dfbd76a4d7 (diff) |
[NETFILTER] ctnetlink: More thorough size checking of attributes
Add missing size checks. Thanks Patrick McHardy for the hint.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_netlink.c | 39 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 7 |
2 files changed, 46 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c index 853d0ac5534f..f5e5e3158670 100644 --- a/net/ipv4/netfilter/ip_conntrack_netlink.c +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c | |||
@@ -614,6 +614,11 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr, | |||
614 | return 0; | 614 | return 0; |
615 | } | 615 | } |
616 | 616 | ||
617 | static const size_t cta_min_nat[CTA_NAT_MAX] = { | ||
618 | [CTA_NAT_MINIP-1] = sizeof(u_int32_t), | ||
619 | [CTA_NAT_MAXIP-1] = sizeof(u_int32_t), | ||
620 | }; | ||
621 | |||
617 | static inline int | 622 | static inline int |
618 | ctnetlink_parse_nat(struct nfattr *cda[], | 623 | ctnetlink_parse_nat(struct nfattr *cda[], |
619 | const struct ip_conntrack *ct, struct ip_nat_range *range) | 624 | const struct ip_conntrack *ct, struct ip_nat_range *range) |
@@ -627,6 +632,9 @@ ctnetlink_parse_nat(struct nfattr *cda[], | |||
627 | 632 | ||
628 | nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]); | 633 | nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]); |
629 | 634 | ||
635 | if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat)) | ||
636 | return -EINVAL; | ||
637 | |||
630 | if (tb[CTA_NAT_MINIP-1]) | 638 | if (tb[CTA_NAT_MINIP-1]) |
631 | range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]); | 639 | range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]); |
632 | 640 | ||
@@ -667,6 +675,14 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name) | |||
667 | return 0; | 675 | return 0; |
668 | } | 676 | } |
669 | 677 | ||
678 | static const size_t cta_min[CTA_MAX] = { | ||
679 | [CTA_STATUS-1] = sizeof(u_int32_t), | ||
680 | [CTA_TIMEOUT-1] = sizeof(u_int32_t), | ||
681 | [CTA_MARK-1] = sizeof(u_int32_t), | ||
682 | [CTA_USE-1] = sizeof(u_int32_t), | ||
683 | [CTA_ID-1] = sizeof(u_int32_t) | ||
684 | }; | ||
685 | |||
670 | static int | 686 | static int |
671 | ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | 687 | ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, |
672 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | 688 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) |
@@ -678,6 +694,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
678 | 694 | ||
679 | DEBUGP("entered %s\n", __FUNCTION__); | 695 | DEBUGP("entered %s\n", __FUNCTION__); |
680 | 696 | ||
697 | if (nfattr_bad_size(cda, CTA_MAX, cta_min)) | ||
698 | return -EINVAL; | ||
699 | |||
681 | if (cda[CTA_TUPLE_ORIG-1]) | 700 | if (cda[CTA_TUPLE_ORIG-1]) |
682 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | 701 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); |
683 | else if (cda[CTA_TUPLE_REPLY-1]) | 702 | else if (cda[CTA_TUPLE_REPLY-1]) |
@@ -760,6 +779,9 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
760 | return 0; | 779 | return 0; |
761 | } | 780 | } |
762 | 781 | ||
782 | if (nfattr_bad_size(cda, CTA_MAX, cta_min)) | ||
783 | return -EINVAL; | ||
784 | |||
763 | if (cda[CTA_TUPLE_ORIG-1]) | 785 | if (cda[CTA_TUPLE_ORIG-1]) |
764 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | 786 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); |
765 | else if (cda[CTA_TUPLE_REPLY-1]) | 787 | else if (cda[CTA_TUPLE_REPLY-1]) |
@@ -1047,6 +1069,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1047 | 1069 | ||
1048 | DEBUGP("entered %s\n", __FUNCTION__); | 1070 | DEBUGP("entered %s\n", __FUNCTION__); |
1049 | 1071 | ||
1072 | if (nfattr_bad_size(cda, CTA_MAX, cta_min)) | ||
1073 | return -EINVAL; | ||
1074 | |||
1050 | if (cda[CTA_TUPLE_ORIG-1]) { | 1075 | if (cda[CTA_TUPLE_ORIG-1]) { |
1051 | err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG); | 1076 | err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG); |
1052 | if (err < 0) | 1077 | if (err < 0) |
@@ -1252,6 +1277,11 @@ out: | |||
1252 | return skb->len; | 1277 | return skb->len; |
1253 | } | 1278 | } |
1254 | 1279 | ||
1280 | static const size_t cta_min_exp[CTA_EXPECT_MAX] = { | ||
1281 | [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t), | ||
1282 | [CTA_EXPECT_ID-1] = sizeof(u_int32_t) | ||
1283 | }; | ||
1284 | |||
1255 | static int | 1285 | static int |
1256 | ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | 1286 | ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, |
1257 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | 1287 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) |
@@ -1263,6 +1293,9 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1263 | 1293 | ||
1264 | DEBUGP("entered %s\n", __FUNCTION__); | 1294 | DEBUGP("entered %s\n", __FUNCTION__); |
1265 | 1295 | ||
1296 | if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp)) | ||
1297 | return -EINVAL; | ||
1298 | |||
1266 | if (nlh->nlmsg_flags & NLM_F_DUMP) { | 1299 | if (nlh->nlmsg_flags & NLM_F_DUMP) { |
1267 | struct nfgenmsg *msg = NLMSG_DATA(nlh); | 1300 | struct nfgenmsg *msg = NLMSG_DATA(nlh); |
1268 | u32 rlen; | 1301 | u32 rlen; |
@@ -1333,6 +1366,9 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1333 | struct ip_conntrack_helper *h; | 1366 | struct ip_conntrack_helper *h; |
1334 | int err; | 1367 | int err; |
1335 | 1368 | ||
1369 | if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp)) | ||
1370 | return -EINVAL; | ||
1371 | |||
1336 | if (cda[CTA_EXPECT_TUPLE-1]) { | 1372 | if (cda[CTA_EXPECT_TUPLE-1]) { |
1337 | /* delete a single expect by tuple */ | 1373 | /* delete a single expect by tuple */ |
1338 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE); | 1374 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE); |
@@ -1462,6 +1498,9 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1462 | 1498 | ||
1463 | DEBUGP("entered %s\n", __FUNCTION__); | 1499 | DEBUGP("entered %s\n", __FUNCTION__); |
1464 | 1500 | ||
1501 | if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp)) | ||
1502 | return -EINVAL; | ||
1503 | |||
1465 | if (!cda[CTA_EXPECT_TUPLE-1] | 1504 | if (!cda[CTA_EXPECT_TUPLE-1] |
1466 | || !cda[CTA_EXPECT_MASK-1] | 1505 | || !cda[CTA_EXPECT_MASK-1] |
1467 | || !cda[CTA_EXPECT_MASTER-1]) | 1506 | || !cda[CTA_EXPECT_MASTER-1]) |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index 5b3f5220f289..ee3b7d6c4d2e 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
@@ -357,6 +357,10 @@ nfattr_failure: | |||
357 | return -1; | 357 | return -1; |
358 | } | 358 | } |
359 | 359 | ||
360 | static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX] = { | ||
361 | [CTA_PROTOINFO_TCP_STATE-1] = sizeof(u_int8_t), | ||
362 | }; | ||
363 | |||
360 | static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) | 364 | static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) |
361 | { | 365 | { |
362 | struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; | 366 | struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; |
@@ -369,6 +373,9 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) | |||
369 | 373 | ||
370 | nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); | 374 | nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); |
371 | 375 | ||
376 | if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) | ||
377 | return -EINVAL; | ||
378 | |||
372 | if (!tb[CTA_PROTOINFO_TCP_STATE-1]) | 379 | if (!tb[CTA_PROTOINFO_TCP_STATE-1]) |
373 | return -EINVAL; | 380 | return -EINVAL; |
374 | 381 | ||