Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

[Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>]

[-- Attachment #1: Type: Text/Plain, Size: 1071 bytes --]


Hello,

I sent the patch which fixes this bug to netfilter-devel, but it include
other bug... sorry, I rewrite patch for ip6_tables.c .

Please don't forget apply the patch which fixes the bug in ipv6_skip_exthdr()
before you tests this patch. I sent it last few minutes to netdev and
netfilter-devel.

Regards,

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>


From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Subject: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists
Date: Sat, 31 Jan 2004 15:49:32 +0900 (JST)


> Hi,
> 
> tcp_match() and udp_match() in ip6tables.c assume that previous header
> of TCP/UDP header is IPv6 Header. So, for example, 1st of fragmented UDP
> packet, AHed packets can't correctly match the rules which use
> "--sport" and so on.
> 
> This patch use ipv6_skip_exthdr() . But this function has the bug which
> access invalid memory area when found Fragment Header.
> So this patch includes the change for that, too.
> 
> Regards,

[-- Attachment #2: tcp-udp.patch --]
[-- Type: Text/Plain, Size: 2711 bytes --]

diff -Nur linux-2.6.3/net/ipv6/ipv6_syms.c linux-2.6.3-fixed/net/ipv6/ipv6_syms.c
--- linux-2.6.3/net/ipv6/ipv6_syms.c	2004-02-18 12:58:48.000000000 +0900
+++ linux-2.6.3-fixed/net/ipv6/ipv6_syms.c	2004-02-19 19:11:12.000000000 +0900
@@ -46,3 +46,4 @@
 EXPORT_SYMBOL(ip6_flush_pending_frames);
 EXPORT_SYMBOL(ip6_push_pending_frames);
 EXPORT_SYMBOL(ipv6_push_nfrag_opts);
+EXPORT_SYMBOL(ipv6_skip_exthdr);
diff -Nur linux-2.6.3/net/ipv6/netfilter/ip6_tables.c linux-2.6.3-fixed/net/ipv6/netfilter/ip6_tables.c
--- linux-2.6.3/net/ipv6/netfilter/ip6_tables.c	2004-02-18 12:59:22.000000000 +0900
+++ linux-2.6.3-fixed/net/ipv6/netfilter/ip6_tables.c	2004-02-20 12:39:48.155754688 +0900
@@ -1570,8 +1570,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct tcphdr *tcp = hdr;
+	const struct tcphdr *tcp;
 	const struct ip6t_tcp *tcpinfo = matchinfo;
+	int tcpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	/* To quote Alan:
 
@@ -1592,6 +1594,24 @@
 		return 0;
 	}
 
+	tcpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	tcpoff = ipv6_skip_exthdr(skb, tcpoff, &nexthdr, skb->len - tcpoff);
+	if (tcpoff < 0 || tcpoff > skb->len) {
+		duprintf("tcp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_TCP ||
+		 skb->len - tcpoff < sizeof(struct tcphdr)) {
+		/* cannot be occured */
+		duprintf("tcp_match: cannot get TCP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	tcp = (struct tcphdr *)(skb->data + tcpoff);
+
 	/* FIXME: Try tcp doff >> packet len against various stacks --RR */
 
 #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
@@ -1642,8 +1662,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	const struct udphdr *udp;
 	const struct ip6t_udp *udpinfo = matchinfo;
+	int udpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	if (offset == 0 && datalen < sizeof(struct udphdr)) {
 		/* We've been asked to examine this packet, and we
@@ -1653,6 +1675,23 @@
 		return 0;
 	}
 
+	udpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	udpoff = ipv6_skip_exthdr(skb, udpoff, &nexthdr, skb->len - udpoff);
+	if (udpoff < 0 || udpoff > skb->len) {
+		duprintf("udp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_UDP ||
+		 skb->len - udpoff < sizeof(struct udphdr)) {
+		duprintf("udp_match: cannot get UDP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	udp = (struct udphdr *)(skb->data + udpoff);
+
 	/* Must not be a fragment. */
 	return !offset
 		&& port_match(udpinfo->spts[0], udpinfo->spts[1],