aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2005-11-14 18:22:11 -0500
committerDavid S. Miller <davem@davemloft.net>2005-11-14 18:22:11 -0500
commit56558208521729fa6b2a0f12df22e1569dee297a (patch)
tree0edad3244ac80e9cf00707ac4940e8c3a758cf75
parentc0400c4f5a08cfd1c657f7f616fcf1dfbd76a4d7 (diff)
[NETFILTER] ctnetlink: More thorough size checking of attributes
Add missing size checks. Thanks Patrick McHardy for the hint. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/ip_conntrack_netlink.c39
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_tcp.c7
2 files changed, 46 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 853d0ac5534f..f5e5e3158670 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -614,6 +614,11 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr,
614 return 0; 614 return 0;
615} 615}
616 616
617static const size_t cta_min_nat[CTA_NAT_MAX] = {
618 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
619 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
620};
621
617static inline int 622static inline int
618ctnetlink_parse_nat(struct nfattr *cda[], 623ctnetlink_parse_nat(struct nfattr *cda[],
619 const struct ip_conntrack *ct, struct ip_nat_range *range) 624 const struct ip_conntrack *ct, struct ip_nat_range *range)
@@ -627,6 +632,9 @@ ctnetlink_parse_nat(struct nfattr *cda[],
627 632
628 nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]); 633 nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]);
629 634
635 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
636 return -EINVAL;
637
630 if (tb[CTA_NAT_MINIP-1]) 638 if (tb[CTA_NAT_MINIP-1])
631 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]); 639 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
632 640
@@ -667,6 +675,14 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
667 return 0; 675 return 0;
668} 676}
669 677
678static const size_t cta_min[CTA_MAX] = {
679 [CTA_STATUS-1] = sizeof(u_int32_t),
680 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
681 [CTA_MARK-1] = sizeof(u_int32_t),
682 [CTA_USE-1] = sizeof(u_int32_t),
683 [CTA_ID-1] = sizeof(u_int32_t)
684};
685
670static int 686static int
671ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 687ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
672 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 688 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
@@ -678,6 +694,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
678 694
679 DEBUGP("entered %s\n", __FUNCTION__); 695 DEBUGP("entered %s\n", __FUNCTION__);
680 696
697 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
698 return -EINVAL;
699
681 if (cda[CTA_TUPLE_ORIG-1]) 700 if (cda[CTA_TUPLE_ORIG-1])
682 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); 701 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
683 else if (cda[CTA_TUPLE_REPLY-1]) 702 else if (cda[CTA_TUPLE_REPLY-1])
@@ -760,6 +779,9 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
760 return 0; 779 return 0;
761 } 780 }
762 781
782 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
783 return -EINVAL;
784
763 if (cda[CTA_TUPLE_ORIG-1]) 785 if (cda[CTA_TUPLE_ORIG-1])
764 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); 786 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
765 else if (cda[CTA_TUPLE_REPLY-1]) 787 else if (cda[CTA_TUPLE_REPLY-1])
@@ -1047,6 +1069,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1047 1069
1048 DEBUGP("entered %s\n", __FUNCTION__); 1070 DEBUGP("entered %s\n", __FUNCTION__);
1049 1071
1072 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1073 return -EINVAL;
1074
1050 if (cda[CTA_TUPLE_ORIG-1]) { 1075 if (cda[CTA_TUPLE_ORIG-1]) {
1051 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG); 1076 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG);
1052 if (err < 0) 1077 if (err < 0)
@@ -1252,6 +1277,11 @@ out:
1252 return skb->len; 1277 return skb->len;
1253} 1278}
1254 1279
1280static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1281 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1282 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1283};
1284
1255static int 1285static int
1256ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 1286ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1257 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 1287 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
@@ -1263,6 +1293,9 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1263 1293
1264 DEBUGP("entered %s\n", __FUNCTION__); 1294 DEBUGP("entered %s\n", __FUNCTION__);
1265 1295
1296 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1297 return -EINVAL;
1298
1266 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1299 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1267 struct nfgenmsg *msg = NLMSG_DATA(nlh); 1300 struct nfgenmsg *msg = NLMSG_DATA(nlh);
1268 u32 rlen; 1301 u32 rlen;
@@ -1333,6 +1366,9 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1333 struct ip_conntrack_helper *h; 1366 struct ip_conntrack_helper *h;
1334 int err; 1367 int err;
1335 1368
1369 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1370 return -EINVAL;
1371
1336 if (cda[CTA_EXPECT_TUPLE-1]) { 1372 if (cda[CTA_EXPECT_TUPLE-1]) {
1337 /* delete a single expect by tuple */ 1373 /* delete a single expect by tuple */
1338 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE); 1374 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
@@ -1462,6 +1498,9 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1462 1498
1463 DEBUGP("entered %s\n", __FUNCTION__); 1499 DEBUGP("entered %s\n", __FUNCTION__);
1464 1500
1501 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1502 return -EINVAL;
1503
1465 if (!cda[CTA_EXPECT_TUPLE-1] 1504 if (!cda[CTA_EXPECT_TUPLE-1]
1466 || !cda[CTA_EXPECT_MASK-1] 1505 || !cda[CTA_EXPECT_MASK-1]
1467 || !cda[CTA_EXPECT_MASTER-1]) 1506 || !cda[CTA_EXPECT_MASTER-1])
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 5b3f5220f289..ee3b7d6c4d2e 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -357,6 +357,10 @@ nfattr_failure:
357 return -1; 357 return -1;
358} 358}
359 359
360static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX] = {
361 [CTA_PROTOINFO_TCP_STATE-1] = sizeof(u_int8_t),
362};
363
360static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) 364static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
361{ 365{
362 struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; 366 struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
@@ -369,6 +373,9 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
369 373
370 nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); 374 nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr);
371 375
376 if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp))
377 return -EINVAL;
378
372 if (!tb[CTA_PROTOINFO_TCP_STATE-1]) 379 if (!tb[CTA_PROTOINFO_TCP_STATE-1])
373 return -EINVAL; 380 return -EINVAL;
374 381