diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-06-18 11:29:53 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-06-18 19:24:52 -0400 |
commit | 32f5376003920a8bc1bd97c6cddcf42df0b6a833 (patch) | |
tree | e88905596468131aa76f99709a1c4e6972f529b6 /net/netfilter | |
parent | fd7462de461949e36d70f5b0bc17b98c5a00729c (diff) |
netfilter: nf_ct_helper: disable automatic helper re-assignment of different type
This patch modifies __nf_ct_try_assign_helper in a way that invalidates support
for the following scenario:
1) attach the helper A for first time when the conntrack is created
2) attach new (different) helper B due to changes the reply tuple caused by NAT
eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers
loaded, which seems to be a quite unorthodox scenario.
I can provide a more elaborated patch to support this scenario but explicit
helper attachment provides a better solution for this since now the use can
attach the helpers consistently, without relying on the automatic helper
lookup magic.
This patch fixes a possible out of bound zeroing of the conntrack helper
extension if the helper B uses more memory for its private data than
helper A.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 2918ec2e4509..c4bc637feb76 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
@@ -229,7 +229,13 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, | |||
229 | goto out; | 229 | goto out; |
230 | } | 230 | } |
231 | } else { | 231 | } else { |
232 | memset(help->data, 0, helper->data_len); | 232 | /* We only allow helper re-assignment of the same sort since |
233 | * we cannot reallocate the helper extension area. | ||
234 | */ | ||
235 | if (help->helper != helper) { | ||
236 | RCU_INIT_POINTER(help->helper, NULL); | ||
237 | goto out; | ||
238 | } | ||
233 | } | 239 | } |
234 | 240 | ||
235 | rcu_assign_pointer(help->helper, helper); | 241 | rcu_assign_pointer(help->helper, helper); |