Re: [PATCH] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ian Wilson <iwilson@brocade.com>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
Date: Fri, 13 Mar 2015 12:08:48 +0100	[thread overview]
Message-ID: <20150313110848.GA5818@salvia> (raw)
In-Reply-To: <1426153078-20863-1-git-send-email-iwilson@brocade.com>

On Thu, Mar 12, 2015 at 09:37:58AM +0000, Ian Wilson wrote:
> nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
> nfnl_cthelper_get() and nfnl_cthelper_del().  In each case they pass
> a pointer to an nf_conntrack_tuple data structure local variable:
> 
>     struct nf_conntrack_tuple tuple;
>     ...
>     ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
> 
> The problem is that this local variable is not initialized, and
> nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
> dst.protonum.  This leaves all other fields with undefined values
> based on whatever is on the stack:
> 
>     tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
>     tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
> 
> The symptom observed was that when the rpc and tns helpers were added
> then traffic to port 1536 was being sent to user-space.

Applied, thanks. I'll pass this to -stable too.

next prev parent reply	other threads:[~2015-03-13 11:05 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-12  9:37 [PATCH] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() Ian Wilson
2015-03-13 11:08 ` Pablo Neira Ayuso [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-03-11 21:01 Ian Wilson
2015-03-11 21:16 ` Stephen Hemminger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150313110848.GA5818@salvia \
    --to=pablo@netfilter.org \
    --cc=iwilson@brocade.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.