* [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks
@ 2005-05-12 20:49 Max Kellermann
2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Max Kellermann @ 2005-05-12 20:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jozsef Kadlecsik
Hi,
three small patches for the H.323 helper module. The first patch fixes
a "nearly endless loop" bug, which I consider critical.
The three new patches depend on my other patches from the last two
days.
Max
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration 2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann @ 2005-05-12 20:50 ` Max Kellermann 2005-05-12 20:51 ` Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann 2 siblings, 1 reply; 7+ messages in thread From: Max Kellermann @ 2005-05-12 20:50 UTC (permalink / raw) To: netfilter-devel; +Cc: Jozsef Kadlecsik h323-01-another_bb_error_check.patch - critical bug fix, check bb->error in every for iteration ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration 2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann @ 2005-05-12 20:51 ` Max Kellermann 0 siblings, 0 replies; 7+ messages in thread From: Max Kellermann @ 2005-05-12 20:51 UTC (permalink / raw) To: netfilter-devel; +Cc: Jozsef Kadlecsik [-- Attachment #1: Type: text/plain, Size: 205 bytes --] On 2005/05/12 22:50, Max Kellermann <max@duempel.org> wrote: > h323-01-another_bb_error_check.patch > - critical bug fix, check bb->error in every for iteration > damn, patch was missing :( here it is [-- Attachment #2: h323-01-another_bb_error_check.patch --] [-- Type: text/plain, Size: 681 bytes --] Thu May 12 21:58:49 CEST 2005 max@duempel.org * check bb->error in loop diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c --- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c 2005-05-12 22:40:24.000000000 +0200 +++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/asn1_per.c 2005-05-12 21:58:41.000000000 +0200 @@ -278,7 +278,7 @@ if (bb->error) return; - for (i = 0; i < ext.count; i++) { + for (i = 0; i < ext.count && !bb->error; i++) { if (asn1_per_bitmap_get(&ext.present, i)) asn1_per_skip_octet_string(bb); } ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length 2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann 2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann @ 2005-05-12 20:52 ` Max Kellermann 2005-05-12 20:53 ` Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann 2 siblings, 1 reply; 7+ messages in thread From: Max Kellermann @ 2005-05-12 20:52 UTC (permalink / raw) To: netfilter-devel; +Cc: Jozsef Kadlecsik h323-02-u2u_length_is_relative.patch - minor bugfix, never occurred in reality - length returned by q931_find_u2u() is relative ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length 2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann @ 2005-05-12 20:53 ` Max Kellermann 0 siblings, 0 replies; 7+ messages in thread From: Max Kellermann @ 2005-05-12 20:53 UTC (permalink / raw) To: netfilter-devel; +Cc: Jozsef Kadlecsik [-- Attachment #1: Type: text/plain, Size: 230 bytes --] On 2005/05/12 22:52, Max Kellermann <max@duempel.org> wrote: > h323-02-u2u_length_is_relative.patch > - minor bugfix, never occurred in reality > - length returned by q931_find_u2u() is relative > sorry, I'll never learn... ;) [-- Attachment #2: h323-02-u2u_length_is_relative.patch --] [-- Type: text/plain, Size: 1057 bytes --] Thu May 12 22:21:24 CEST 2005 max@duempel.org * length returned by q931_find_u2u() is relative diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c --- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:48:51.000000000 +0200 +++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:48:51.000000000 +0200 @@ -214,9 +214,7 @@ { struct asn1_per_buffer bb; - /* protocol(1) + header(3) + protocolIdentifier(6) + - h245ipAddress(1) + h245ipv4(4) + h245ipv4port(2) */ - if (length < 17) + if (i + 8 > length) return NF_ACCEPT; if (data[i++] != 0x05) /* X.208 / X.209 */ @@ -297,6 +295,10 @@ if (i == 0) return NF_ACCEPT; + /* the length returned by q931_find_u2u() is relative + to i */ + length += i; + return h225_parse_q931_connect(pskb, ct, ctinfo, data, i, length); } else { ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks 2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann 2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann @ 2005-05-12 20:52 ` Max Kellermann 2005-05-17 15:32 ` Patrick McHardy 2 siblings, 1 reply; 7+ messages in thread From: Max Kellermann @ 2005-05-12 20:52 UTC (permalink / raw) To: netfilter-devel; +Cc: Jozsef Kadlecsik [-- Attachment #1: Type: text/plain, Size: 101 bytes --] h323-03-simplified_length_checks.patch - simplified some length checks to make them easier readable [-- Attachment #2: h323-03-simplified_length_checks.patch --] [-- Type: text/plain, Size: 2506 bytes --] Thu May 12 22:38:17 CEST 2005 max@duempel.org * simplified buffer length checks diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c --- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:49:00.000000000 +0200 +++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h225.c 2005-05-12 22:38:36.000000000 +0200 @@ -214,7 +214,7 @@ { struct asn1_per_buffer bb; - if (i + 8 > length) + if (i + 2 > length) return NF_ACCEPT; if (data[i++] != 0x05) /* X.208 / X.209 */ @@ -275,6 +275,9 @@ u_int8_t q931_message_type; unsigned length; + if (i + 3 > datalen) + return NF_ACCEPT; + /* parse Q.931 packet */ if (data[i++] != 0x08) /* protocol discriminator */ return NF_ACCEPT; @@ -319,6 +322,9 @@ unsigned int i = 0; u_int16_t tpkt_len; + if (i + 4 > datalen) + return NF_ACCEPT; + /* expect TPKT header, see RFC 1006 */ if (data[0] != 0x03 || data[1] != 0x00) return NF_ACCEPT; @@ -326,9 +332,6 @@ i += 2; tpkt_len = ntohs(*(u_int16_t*)(data + i)); - if (tpkt_len < 16) - return NF_ACCEPT; - if (tpkt_len < datalen) datalen = tpkt_len; @@ -372,7 +375,7 @@ } datalen = (*pskb)->len - dataoff; - if (datalen < 32) + if (datalen < 16) return NF_ACCEPT; /* get data portion, and evaluate it */ diff -rN -u old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c --- old-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c 2005-05-12 22:49:00.000000000 +0200 +++ new-h323-0/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323_h245.c 2005-05-12 22:38:36.000000000 +0200 @@ -868,6 +868,9 @@ u_int16_t tpkt_len; struct asn1_per_buffer bb; + if (i + 4 > datalen) + return NF_ACCEPT; + /* expect TPKT header, see RFC 1006 */ if (data[0] != 0x03 || data[1] != 0x00) return NF_ACCEPT; @@ -875,9 +878,6 @@ i += 2; tpkt_len = ntohs(*(u_int16_t*)(data + i)); - if (tpkt_len < 16) - return NF_ACCEPT; - if (tpkt_len < datalen) datalen = tpkt_len; @@ -922,6 +922,9 @@ } datalen = (*pskb)->len - dataoff; + if (datalen < 16) + return NF_ACCEPT; + LOCK_BH(&ip_h245_lock); data = skb_header_pointer((*pskb), dataoff, datalen, h245_buffer); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks 2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann @ 2005-05-17 15:32 ` Patrick McHardy 0 siblings, 0 replies; 7+ messages in thread From: Patrick McHardy @ 2005-05-17 15:32 UTC (permalink / raw) To: Max Kellermann; +Cc: netfilter-devel, Jozsef Kadlecsik Max Kellermann wrote: > h323-03-simplified_length_checks.patch > - simplified some length checks to make them easier readable All three patches applied, thanks. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-05-17 15:32 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-05-12 20:49 [PATCH pom-ng 0/3] h323-conntrack-nat updates: buffer checks Max Kellermann 2005-05-12 20:50 ` [PATCH pom-ng 1/3] h323-conntrack-nat updates: check bb->error in every iteration Max Kellermann 2005-05-12 20:51 ` Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 2/3] h323-conntrack-nat updates: q931_find_u2u() returns relative length Max Kellermann 2005-05-12 20:53 ` Max Kellermann 2005-05-12 20:52 ` [PATCH pom-ng 3/3] h323-conntrack-nat updates: simplified length checks Max Kellermann 2005-05-17 15:32 ` Patrick McHardy
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.