From: Jiri Slaby <jslaby@suse.cz>
To: Pablo Neira Ayuso <pablo@netfilter.org>, stable@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH -stable] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
Date: Tue, 19 May 2015 13:31:21 +0200 [thread overview]
Message-ID: <555B1F09.7010300@suse.cz> (raw)
In-Reply-To: <1431802251-4781-2-git-send-email-pablo@netfilter.org>
On 05/16/2015, 08:50 PM, Pablo Neira Ayuso wrote:
> From: Ian Wilson <iwilson@brocade.com>
>
> [ upstream commit 78146572b9cd20452da47951812f35b1ad4906be ]
>
> nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
> nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass
> a pointer to an nf_conntrack_tuple data structure local variable:
>
> struct nf_conntrack_tuple tuple;
> ...
> ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
>
> The problem is that this local variable is not initialized, and
> nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
> dst.protonum. This leaves all other fields with undefined values
> based on whatever is on the stack:
>
> tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
> tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
>
> The symptom observed was that when the rpc and tns helpers were added
> then traffic to port 1536 was being sent to user-space.
>
> Cc: <stable@vger.kernel.org> # 3.10.x
> Cc: <stable@vger.kernel.org> # 3.12.x
Applied only this one to 3.12 (others are not marked as such). Thanks.
> Cc: <stable@vger.kernel.org> # 3.14.x
> Cc: <stable@vger.kernel.org> # 3.18.x
> Cc: <stable@vger.kernel.org> # 3.19.x
> Signed-off-by: Ian Wilson <iwilson@brocade.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/nfnetlink_cthelper.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
> index a5599fc..54330fb 100644
> --- a/net/netfilter/nfnetlink_cthelper.c
> +++ b/net/netfilter/nfnetlink_cthelper.c
> @@ -77,6 +77,9 @@ nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
> if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
> return -EINVAL;
>
> + /* Not all fields are initialized so first zero the tuple */
> + memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
> +
> tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
> tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
>
>
--
js
suse labs
next prev parent reply other threads:[~2015-05-19 11:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-16 18:50 [PATCH -stable] netfilter: nf_tables: fix error handling of rule replacement Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() Pablo Neira Ayuso
2015-05-19 11:31 ` Jiri Slaby [this message]
2015-05-16 18:50 ` [PATCH -stable] netfilter: nf_tables: check for overflow of rule dlen field Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: restore rule tracing via nfnetlink_log Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nf_tables: allow to change chain policy without hook if it exists Pablo Neira Ayuso
2015-05-16 18:50 ` [PATCH -stable] netfilter: nft_rbtree: fix locking Pablo Neira Ayuso
2015-06-29 23:00 ` Greg KH
2015-07-01 11:38 ` Pablo Neira Ayuso
2015-05-20 12:12 ` [PATCH -stable] netfilter: nf_tables: fix error handling of rule replacement Luis Henriques
2015-05-20 12:12 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555B1F09.7010300@suse.cz \
--to=jslaby@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.