From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ian Wilson <iwilson@brocade.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 3.10 05/22] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
Date: Wed, 1 Jul 2015 11:40:10 -0700 [thread overview]
Message-ID: <20150701183942.228800170@linuxfoundation.org> (raw)
In-Reply-To: <20150701183942.019582154@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Wilson <iwilson@brocade.com>
commit 78146572b9cd20452da47951812f35b1ad4906be upstream.
nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass
a pointer to an nf_conntrack_tuple data structure local variable:
struct nf_conntrack_tuple tuple;
...
ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
The problem is that this local variable is not initialized, and
nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
dst.protonum. This leaves all other fields with undefined values
based on whatever is on the stack:
tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
The symptom observed was that when the rpc and tns helpers were added
then traffic to port 1536 was being sent to user-space.
Signed-off-by: Ian Wilson <iwilson@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nfnetlink_cthelper.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -74,6 +74,9 @@ nfnl_cthelper_parse_tuple(struct nf_conn
if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
return -EINVAL;
+ /* Not all fields are initialized so first zero the tuple */
+ memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
+
tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
next prev parent reply other threads:[~2015-07-01 18:53 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-01 18:40 [PATCH 3.10 00/22] 3.10.83-stable review Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 01/22] fput: turn "list_head delayed_fput_list" into llist_head Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 02/22] get rid of s_files and files_lock Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 03/22] config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected Greg Kroah-Hartman
2015-07-01 18:40 ` Greg Kroah-Hartman
2015-07-01 18:40 ` Greg Kroah-Hartman [this message]
2015-07-01 18:40 ` [PATCH 3.10 06/22] include/linux/sched.h: dont use task->pid/tgid in same_thread_group/has_group_leader_pid Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 07/22] __ptrace_may_access() should not deny sub-threads Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 08/22] ACPICA: Utilities: Cleanup to convert physical address printing formats Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 09/22] ACPICA: Utilities: Cleanup to remove useless ACPI_PRINTF/FORMAT_xxx helpers Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 10/22] sb_edac: Fix erroneous bytes->gigabytes conversion Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 11/22] hpsa: refine the pci enable/disable handling Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 12/22] hpsa: add missing pci_set_master in kdump path Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 13/22] fs: take i_mutex during prepare_binprm for set[ug]id executables Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 14/22] x86/microcode/intel: Guard against stack overflow in the loader Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 15/22] Btrfs: make xattr replace operations atomic Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 16/22] xfrm: Increase the garbage collector threshold Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 19/22] Re: [PATCH 3.10 14/46] d_walk() might skip too much Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 20/22] ARM: clk-imx6q: refine satas parent Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 21/22] KVM: nSVM: Check for NRIPS support before updating control field Greg Kroah-Hartman
2015-07-01 18:40 ` [PATCH 3.10 22/22] bus: mvebu: pass the coherency availability information at init time Greg Kroah-Hartman
2015-07-01 20:31 ` [PATCH 3.10 00/22] 3.10.83-stable review Guenter Roeck
2015-07-01 20:41 ` Greg Kroah-Hartman
2015-07-01 22:35 ` Shuah Khan
2015-07-01 23:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150701183942.228800170@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=iwilson@brocade.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.