* [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks
@ 2005-05-12 20:49 Max Kellermann
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
Hi,
three small patches for the H.323 helper module. The first patch fixes
a "nearly endless loop" bug, which I consider critical.
The three new patches depend on my other patches from the last two
days.
Max
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration
2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann
@ 2005-05-12 20:50 ` Max Kellermann
2005-05-12 20:51 ` Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann
2 siblings, 1 reply; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
h323-01-another_bb_error_check.patch
- critical bug fix, check bb->error in every for iteration
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
@ 2005-05-12 20:51 ` Max Kellermann
0 siblings, 0 replies; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:51 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
[-- Attachment #1: Type: text/plain, Size: 205 bytes --]
On 2005/05/12 22:50, Max Kellermann <max@duempel.org> wrote:
> h323-01-another_bb_error_check.patch
> - critical bug fix, check bb->error in every for iteration
>
damn, patch was missing :(
here it is
[-- Attachment #2: h323-01-another_bb_error_check.patch --]
[-- Type: text/plain, Size: 681 bytes --]
Thu May 12 21:58:49 CEST 2005 max@duempel.org
* check bb->error in loop
diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c
--- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c 2005-05-12 22:40:24.000000000 +0200
+++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c 2005-05-12 21:58:41.000000000 +0200
@@ -278,7 +278,7 @@
if (bb->error)
return;
- for (i = 0; i < ext.count; i++) {
+ for (i = 0; i < ext.count && !bb->error; i++) {
if (asn1_per_bitmap_get(&ext.present, i))
asn1_per_skip_octet_string(bb);
}
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length
2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
@ 2005-05-12 20:52 ` Max Kellermann
2005-05-12 20:53 ` Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann
2 siblings, 1 reply; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
h323-02-u2u_length_is_relative.patch
- minor bugfix, never occurred in reality
- length returned by q931_find_u2u() is relative
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks
2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann
@ 2005-05-12 20:52 ` Max Kellermann
2005-05-17 15:32 ` Patrick McHardy
2 siblings, 1 reply; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
[-- Attachment #1: Type: text/plain, Size: 101 bytes --]
h323-03-simplified_length_checks.patch
- simplified some length checks to make them easier readable
[-- Attachment #2: h323-03-simplified_length_checks.patch --]
[-- Type: text/plain, Size: 2506 bytes --]
Thu May 12 22:38:17 CEST 2005 max@duempel.org
* simplified buffer length checks
diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c
--- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:49:00.000000000 +0200
+++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:38:36.000000000 +0200
@@ -214,7 +214,7 @@
{
struct asn1_per_buffer bb;
- if (i + 8 > length)
+ if (i + 2 > length)
return NF_ACCEPT;
if (data[i++] != 0x05) /* X.208 / X.209 */
@@ -275,6 +275,9 @@
u_int8_t q931_message_type;
unsigned length;
+ if (i + 3 > datalen)
+ return NF_ACCEPT;
+
/* parse Q.931 packet */
if (data[i++] != 0x08) /* protocol discriminator */
return NF_ACCEPT;
@@ -319,6 +322,9 @@
unsigned int i = 0;
u_int16_t tpkt_len;
+ if (i + 4 > datalen)
+ return NF_ACCEPT;
+
/* expect TPKT header, see RFC 1006 */
if (data[0] != 0x03 || data[1] != 0x00)
return NF_ACCEPT;
@@ -326,9 +332,6 @@
i += 2;
tpkt_len = ntohs(*(u_int16_t*)(data + i));
- if (tpkt_len < 16)
- return NF_ACCEPT;
-
if (tpkt_len < datalen)
datalen = tpkt_len;
@@ -372,7 +375,7 @@
}
datalen = (*pskb)->len - dataoff;
- if (datalen < 32)
+ if (datalen < 16)
return NF_ACCEPT;
/* get data portion, and evaluate it */
diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c
--- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c 2005-05-12 22:49:00.000000000 +0200
+++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c 2005-05-12 22:38:36.000000000 +0200
@@ -868,6 +868,9 @@
u_int16_t tpkt_len;
struct asn1_per_buffer bb;
+ if (i + 4 > datalen)
+ return NF_ACCEPT;
+
/* expect TPKT header, see RFC 1006 */
if (data[0] != 0x03 || data[1] != 0x00)
return NF_ACCEPT;
@@ -875,9 +878,6 @@
i += 2;
tpkt_len = ntohs(*(u_int16_t*)(data + i));
- if (tpkt_len < 16)
- return NF_ACCEPT;
-
if (tpkt_len < datalen)
datalen = tpkt_len;
@@ -922,6 +922,9 @@
}
datalen = (*pskb)->len - dataoff;
+ if (datalen < 16)
+ return NF_ACCEPT;
+
LOCK_BH(&ip_h245_lock);
data = skb_header_pointer((*pskb), dataoff,
datalen, h245_buffer);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length
2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann
@ 2005-05-12 20:53 ` Max Kellermann
0 siblings, 0 replies; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
[-- Attachment #1: Type: text/plain, Size: 230 bytes --]
On 2005/05/12 22:52, Max Kellermann <max@duempel.org> wrote:
> h323-02-u2u_length_is_relative.patch
> - minor bugfix, never occurred in reality
> - length returned by q931_find_u2u() is relative
>
sorry, I'll never learn... ;)
[-- Attachment #2: h323-02-u2u_length_is_relative.patch --]
[-- Type: text/plain, Size: 1057 bytes --]
Thu May 12 22:21:24 CEST 2005 max@duempel.org
* length returned by q931_find_u2u() is relative
diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c
--- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:48:51.000000000 +0200
+++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:48:51.000000000 +0200
@@ -214,9 +214,7 @@
{
struct asn1_per_buffer bb;
- /* protocol(1) + header(3) + protocolIdentifier(6) +
- h245ipAddress(1) + h245ipv4(4) + h245ipv4port(2) */
- if (length < 17)
+ if (i + 8 > length)
return NF_ACCEPT;
if (data[i++] != 0x05) /* X.208 / X.209 */
@@ -297,6 +295,10 @@
if (i == 0)
return NF_ACCEPT;
+ /* the length returned by q931_find_u2u() is relative
+ to i */
+ length += i;
+
return h225_parse_q931_connect(pskb, ct, ctinfo,
data, i, length);
} else {
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks
2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann
@ 2005-05-17 15:32 ` Patrick McHardy
0 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2005-05-17 15:32 UTC (permalink / raw)
To: Max Kellermann; +Cc: netfilter-devel, Jozsef Kadlecsik
Max Kellermann wrote:
> h323-03-simplified_length_checks.patch
> - simplified some length checks to make them easier readable
All three patches applied, thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-05-17 15:32 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
2005-05-12 20:51 ` Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann
2005-05-12 20:53 ` Max Kellermann
2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann
2005-05-17 15:32 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.