aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-05-24 19:41:50 -0400
committerDavid S. Miller <davem@davemloft.net>2007-05-24 19:41:50 -0400
commit25b86e05467a2bf936b78695ef49039e3bbd1e0c (patch)
tree756282cad7ea20d2df257633c799d0b6baceba46
parent5fe26f53fe9e2ba5dca2835a4ca69d0ba7b5f707 (diff)
[NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation
When the packet size is changed by the FTP NAT helper, the connection tracking helper adjusts the sequence number of the newline character by the size difference. This is wrong because NAT sequence number adjustment happens after helpers are called, so the unadjusted number is compared to the already adjusted one. Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/netfilter/nf_conntrack_ftp.h3
-rw-r--r--net/ipv4/netfilter/nf_nat_ftp.c20
-rw-r--r--net/netfilter/nf_conntrack_ftp.c5
3 files changed, 9 insertions, 19 deletions
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 81453ea7e4c2..b7c360ffd0d0 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -37,8 +37,7 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
37 enum nf_ct_ftp_type type, 37 enum nf_ct_ftp_type type,
38 unsigned int matchoff, 38 unsigned int matchoff,
39 unsigned int matchlen, 39 unsigned int matchlen,
40 struct nf_conntrack_expect *exp, 40 struct nf_conntrack_expect *exp);
41 u32 *seq);
42#endif /* __KERNEL__ */ 41#endif /* __KERNEL__ */
43 42
44#endif /* _NF_CONNTRACK_FTP_H */ 43#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c
index 751b59801755..e6bc8e5a72f1 100644
--- a/net/ipv4/netfilter/nf_nat_ftp.c
+++ b/net/ipv4/netfilter/nf_nat_ftp.c
@@ -40,8 +40,7 @@ mangle_rfc959_packet(struct sk_buff **pskb,
40 unsigned int matchoff, 40 unsigned int matchoff,
41 unsigned int matchlen, 41 unsigned int matchlen,
42 struct nf_conn *ct, 42 struct nf_conn *ct,
43 enum ip_conntrack_info ctinfo, 43 enum ip_conntrack_info ctinfo)
44 u32 *seq)
45{ 44{
46 char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")]; 45 char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")];
47 46
@@ -50,7 +49,6 @@ mangle_rfc959_packet(struct sk_buff **pskb,
50 49
51 DEBUGP("calling nf_nat_mangle_tcp_packet\n"); 50 DEBUGP("calling nf_nat_mangle_tcp_packet\n");
52 51
53 *seq += strlen(buffer) - matchlen;
54 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff, 52 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
55 matchlen, buffer, strlen(buffer)); 53 matchlen, buffer, strlen(buffer));
56} 54}
@@ -63,8 +61,7 @@ mangle_eprt_packet(struct sk_buff **pskb,
63 unsigned int matchoff, 61 unsigned int matchoff,
64 unsigned int matchlen, 62 unsigned int matchlen,
65 struct nf_conn *ct, 63 struct nf_conn *ct,
66 enum ip_conntrack_info ctinfo, 64 enum ip_conntrack_info ctinfo)
67 u32 *seq)
68{ 65{
69 char buffer[sizeof("|1|255.255.255.255|65535|")]; 66 char buffer[sizeof("|1|255.255.255.255|65535|")];
70 67
@@ -72,7 +69,6 @@ mangle_eprt_packet(struct sk_buff **pskb,
72 69
73 DEBUGP("calling nf_nat_mangle_tcp_packet\n"); 70 DEBUGP("calling nf_nat_mangle_tcp_packet\n");
74 71
75 *seq += strlen(buffer) - matchlen;
76 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff, 72 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
77 matchlen, buffer, strlen(buffer)); 73 matchlen, buffer, strlen(buffer));
78} 74}
@@ -85,8 +81,7 @@ mangle_epsv_packet(struct sk_buff **pskb,
85 unsigned int matchoff, 81 unsigned int matchoff,
86 unsigned int matchlen, 82 unsigned int matchlen,
87 struct nf_conn *ct, 83 struct nf_conn *ct,
88 enum ip_conntrack_info ctinfo, 84 enum ip_conntrack_info ctinfo)
89 u32 *seq)
90{ 85{
91 char buffer[sizeof("|||65535|")]; 86 char buffer[sizeof("|||65535|")];
92 87
@@ -94,14 +89,13 @@ mangle_epsv_packet(struct sk_buff **pskb,
94 89
95 DEBUGP("calling nf_nat_mangle_tcp_packet\n"); 90 DEBUGP("calling nf_nat_mangle_tcp_packet\n");
96 91
97 *seq += strlen(buffer) - matchlen;
98 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff, 92 return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
99 matchlen, buffer, strlen(buffer)); 93 matchlen, buffer, strlen(buffer));
100} 94}
101 95
102static int (*mangle[])(struct sk_buff **, __be32, u_int16_t, 96static int (*mangle[])(struct sk_buff **, __be32, u_int16_t,
103 unsigned int, unsigned int, struct nf_conn *, 97 unsigned int, unsigned int, struct nf_conn *,
104 enum ip_conntrack_info, u32 *seq) 98 enum ip_conntrack_info)
105= { 99= {
106 [NF_CT_FTP_PORT] = mangle_rfc959_packet, 100 [NF_CT_FTP_PORT] = mangle_rfc959_packet,
107 [NF_CT_FTP_PASV] = mangle_rfc959_packet, 101 [NF_CT_FTP_PASV] = mangle_rfc959_packet,
@@ -116,8 +110,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
116 enum nf_ct_ftp_type type, 110 enum nf_ct_ftp_type type,
117 unsigned int matchoff, 111 unsigned int matchoff,
118 unsigned int matchlen, 112 unsigned int matchlen,
119 struct nf_conntrack_expect *exp, 113 struct nf_conntrack_expect *exp)
120 u32 *seq)
121{ 114{
122 __be32 newip; 115 __be32 newip;
123 u_int16_t port; 116 u_int16_t port;
@@ -145,8 +138,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
145 if (port == 0) 138 if (port == 0)
146 return NF_DROP; 139 return NF_DROP;
147 140
148 if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo, 141 if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo)) {
149 seq)) {
150 nf_conntrack_unexpect_related(exp); 142 nf_conntrack_unexpect_related(exp);
151 return NF_DROP; 143 return NF_DROP;
152 } 144 }
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4bb669c7780f..82db2aa53bfc 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -48,8 +48,7 @@ unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
48 enum nf_ct_ftp_type type, 48 enum nf_ct_ftp_type type,
49 unsigned int matchoff, 49 unsigned int matchoff,
50 unsigned int matchlen, 50 unsigned int matchlen,
51 struct nf_conntrack_expect *exp, 51 struct nf_conntrack_expect *exp);
52 u32 *seq);
53EXPORT_SYMBOL_GPL(nf_nat_ftp_hook); 52EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
54 53
55#if 0 54#if 0
@@ -521,7 +520,7 @@ static int help(struct sk_buff **pskb,
521 nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); 520 nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
522 if (nf_nat_ftp && ct->status & IPS_NAT_MASK) 521 if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
523 ret = nf_nat_ftp(pskb, ctinfo, search[dir][i].ftptype, 522 ret = nf_nat_ftp(pskb, ctinfo, search[dir][i].ftptype,
524 matchoff, matchlen, exp, &seq); 523 matchoff, matchlen, exp);
525 else { 524 else {
526 /* Can't expect this? Best to drop packet now. */ 525 /* Can't expect this? Best to drop packet now. */
527 if (nf_conntrack_expect_related(exp) != 0) 526 if (nf_conntrack_expect_related(exp) != 0)