diff options
author | Patrick McHardy <kaber@trash.net> | 2013-09-30 03:51:46 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-30 06:44:38 -0400 |
commit | f4a87e7bd2eaef26a3ca25437ce8b807de2966ad (patch) | |
tree | 72359689d53c3ce656b4568f04b8ee92dd2e05f4 /include/net | |
parent | d1ee4fea0b6946dd8bc61b46db35ea80af7af34b (diff) |
netfilter: synproxy: fix BUG_ON triggered by corrupt TCP packets
TCP packets hitting the SYN proxy through the SYNPROXY target are not
validated by TCP conntrack. When th->doff is below 5, an underflow happens
when calculating the options length, causing skb_header_pointer() to
return NULL and triggering the BUG_ON().
Handle this case gracefully by checking for NULL instead of using BUG_ON().
Reported-by: Martin Topholm <mph@one.com>
Tested-by: Martin Topholm <mph@one.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/netfilter/nf_conntrack_synproxy.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h index 806f54a290d6..f572f313d6f1 100644 --- a/include/net/netfilter/nf_conntrack_synproxy.h +++ b/include/net/netfilter/nf_conntrack_synproxy.h | |||
@@ -56,7 +56,7 @@ struct synproxy_options { | |||
56 | 56 | ||
57 | struct tcphdr; | 57 | struct tcphdr; |
58 | struct xt_synproxy_info; | 58 | struct xt_synproxy_info; |
59 | extern void synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, | 59 | extern bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, |
60 | const struct tcphdr *th, | 60 | const struct tcphdr *th, |
61 | struct synproxy_options *opts); | 61 | struct synproxy_options *opts); |
62 | extern unsigned int synproxy_options_size(const struct synproxy_options *opts); | 62 | extern unsigned int synproxy_options_size(const struct synproxy_options *opts); |