From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Out Of Bound Read in Netfilter Conntrack
Date: Mon, 6 Nov 2017 16:13:13 +0100 [thread overview]
Message-ID: <20171106151313.GA21034@salvia> (raw)
In-Reply-To: <3567257a-3e96-a603-82c0-d1f32bcffd54@x41-dsec.de>
Hi Eric,
On Wed, Oct 25, 2017 at 09:05:05AM +0200, Eric Sesterhenn wrote:
[...]
> From b8ed8753ca82f6f07fce2901418aab531d98ee39 Mon Sep 17 00:00:00 2001
> From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> Date: Wed, 25 Oct 2017 08:32:57 +0200
> Subject: [PATCH netfilter: nf_ct_h323: 1/2] Out Of Bound Read in Netfilter
> Conntrack
>
> Add missing counter decrement to prevent out of bounds memory read.
This one, I already applied it, see below comment on 2/2.
> From c1b7044749e534207ecd3b04281ae024b01887d3 Mon Sep 17 00:00:00 2001
> From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> Date: Wed, 25 Oct 2017 08:39:38 +0200
> Subject: [PATCH netfilter: nf_ct_h323: 2/2] Prevent multiple out of bounds
> memory reads.
>
> Multiple accesses are not guarded by out of bound
> checks. This patch introduces them.
>
> Signed-off-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> ---
> net/netfilter/nf_conntrack_h323_asn1.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
> index 2a9d1acd0cbd..78a218cdf04e 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -104,6 +104,7 @@ typedef struct {
> #define INC_BITS(bs,b) if(((bs)->bit+=(b))>7){(bs)->cur+=(bs)->bit>>3;(bs)->bit&=7;}
> #define BYTE_ALIGN(bs) if((bs)->bit){(bs)->cur++;(bs)->bit=0;}
> #define CHECK_BOUND(bs,n) if((bs)->cur+(n)>(bs)->end)return(H323_ERROR_BOUND)
> +#define CHECK_BIT_BOUND(bs,n) ({ size_t __tmp = n/8; if((bs)->bit+(n%8)>7) { CHECK_BOUND(bs, __tmp + 2); } else { CHECK_BOUND(bs, __tmp + 1); } })
CHECK_BOUND() and your new CHECK_BIT_BOUND() are returning a something
inside a macro, which is a bad practise.
Would you first send me a patch to replace CHECK_BOUND() by a
function, then add place your fix on top of it?
I'd suggest something like:
static inline int nf_h323_error_boundary(...)
{
return bs->cur + (n > bs->end);
}
Then, use it:
if (nf_h323_error_boundary(...))
return H323_ERROR_BOUND;
Please, I'd appreciate if you can send me patches via git-send-mail
too.
Thanks!
next prev parent reply other threads:[~2017-11-06 15:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-09 5:01 [PATCH] Out Of Bound Read in Netfilter Conntrack Eric Sesterhenn
2017-10-12 0:03 ` Florian Westphal
2017-10-13 18:29 ` [PATCH] Bitwise " Eric Sesterhenn
2017-10-17 13:09 ` Pablo Neira Ayuso
2017-10-17 13:48 ` Eric Sesterhenn
2017-10-17 13:53 ` Pablo Neira Ayuso
2017-10-24 16:29 ` [PATCH] " Pablo Neira Ayuso
2017-10-24 16:36 ` Pablo Neira Ayuso
2017-10-25 7:05 ` Eric Sesterhenn
2017-11-06 15:13 ` Pablo Neira Ayuso [this message]
2017-11-13 8:09 ` [PATCH 1/2] Convert CHECK_BOUND macro to function eric.sesterhenn
2017-11-13 13:13 ` Pablo Neira Ayuso
2017-11-13 8:09 ` [PATCH 2/2] Extend nf_h323_error_boundary to work on bits as well eric.sesterhenn
2017-11-13 13:14 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106151313.GA21034@salvia \
--to=pablo@netfilter.org \
--cc=eric.sesterhenn@x41-dsec.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.