* [PATCH] nf_conntrack: Fix missing check for ICMPv6 type
@ 2005-12-03 16:22 Yasuyuki KOZAKAI
0 siblings, 0 replies; 2+ messages in thread
From: Yasuyuki KOZAKAI @ 2005-12-03 16:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: laforge, kaber
[-- Attachment #1: Type: Text/Plain, Size: 186 bytes --]
Hi,
This makes nf_conntrack_icmpv6 check that ICMPv6 type isn't < 128
to avoid access out of valid_new[] and invmap[].
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
[-- Attachment #2: 01-nfct-icmpv6.patch --]
[-- Type: Text/Plain, Size: 2057 bytes --]
[NETFILTER] nf_conntrack: Fix missing check for ICMPv6 type.
This makes nf_conntrack_icmpv6 check that ICMPv6 type isn't < 128
to avoid accessing out of array valid_new[] and invmap[].
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
---
commit b80e4873d096c32b1c941b66cbfdaf1cf9bf8d8d
tree 24cb10c90a97884f59e06129383a8d354c057555
parent 76dbe24325d4e4fb4e7da76498bd0d168a14bf40
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Sat, 26 Nov 2005 22:49:17 +0900
committer Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Sat, 26 Nov 2005 22:49:17 +0900
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index c0f1da5..a7e03cf 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf
[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_REPLY +1
};
- __u8 type = orig->dst.u.icmp.type - 128;
- if (type >= sizeof(invmap) || !invmap[type])
+ int type = orig->dst.u.icmp.type - 128;
+ if (type < 0 || type >= sizeof(invmap) || !invmap[type])
return 0;
tuple->src.u.icmp.id = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *co
[ICMPV6_ECHO_REQUEST - 128] = 1,
[ICMPV6_NI_QUERY - 128] = 1
};
+ int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
- if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)
- || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
+ if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
/* Can't create a new ICMPv6 `conn' with this. */
- DEBUGP("icmp: can't create new conn with type %u\n",
- conntrack->tuplehash[0].tuple.dst.u.icmp.type);
+ DEBUGP("icmpv6: can't create new conn with type %u\n",
+ type + 128);
NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
return 0;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] nf_conntrack: Fix missing check for ICMPv6 type
[not found] <200512031622.jB3GM7ms018056@toshiba.co.jp>
@ 2005-12-04 15:03 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2005-12-04 15:03 UTC (permalink / raw)
To: Yasuyuki KOZAKAI; +Cc: laforge, netfilter-devel
Yasuyuki KOZAKAI wrote:
> Hi,
>
> This makes nf_conntrack_icmpv6 check that ICMPv6 type isn't < 128
> to avoid access out of valid_new[] and invmap[].
Applied, thanks Yasuyuki. I'll push it forward tonight.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-12-04 15:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200512031622.jB3GM7ms018056@toshiba.co.jp>
2005-12-04 15:03 ` [PATCH] nf_conntrack: Fix missing check for ICMPv6 type Patrick McHardy
2005-12-03 16:22 Yasuyuki KOZAKAI
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.