Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

[Yasuyuki Kozakai]

[-- Attachment #1: Type: Text/Plain, Size: 1071 bytes --]


Hello,

I sent the patch which fixes this bug to netfilter-devel, but it include
other bug... sorry, I rewrite patch for ip6_tables.c .

Please don't forget apply the patch which fixes the bug in ipv6_skip_exthdr()
before you tests this patch. I sent it last few minutes to netdev and
netfilter-devel.

Regards,

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>


From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Subject: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists
Date: Sat, 31 Jan 2004 15:49:32 +0900 (JST)


> Hi,
> 
> tcp_match() and udp_match() in ip6tables.c assume that previous header
> of TCP/UDP header is IPv6 Header. So, for example, 1st of fragmented UDP
> packet, AHed packets can't correctly match the rules which use
> "--sport" and so on.
> 
> This patch use ipv6_skip_exthdr() . But this function has the bug which
> access invalid memory area when found Fragment Header.
> So this patch includes the change for that, too.
> 
> Regards,

[-- Attachment #2: tcp-udp.patch --]
[-- Type: Text/Plain, Size: 2711 bytes --]

diff -Nur linux-2.6.3/net/ipv6/ipv6_syms.c linux-2.6.3-fixed/net/ipv6/ipv6_syms.c
--- linux-2.6.3/net/ipv6/ipv6_syms.c	2004-02-18 12:58:48.000000000 +0900
+++ linux-2.6.3-fixed/net/ipv6/ipv6_syms.c	2004-02-19 19:11:12.000000000 +0900
@@ -46,3 +46,4 @@
 EXPORT_SYMBOL(ip6_flush_pending_frames);
 EXPORT_SYMBOL(ip6_push_pending_frames);
 EXPORT_SYMBOL(ipv6_push_nfrag_opts);
+EXPORT_SYMBOL(ipv6_skip_exthdr);
diff -Nur linux-2.6.3/net/ipv6/netfilter/ip6_tables.c linux-2.6.3-fixed/net/ipv6/netfilter/ip6_tables.c
--- linux-2.6.3/net/ipv6/netfilter/ip6_tables.c	2004-02-18 12:59:22.000000000 +0900
+++ linux-2.6.3-fixed/net/ipv6/netfilter/ip6_tables.c	2004-02-20 12:39:48.155754688 +0900
@@ -1570,8 +1570,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct tcphdr *tcp = hdr;
+	const struct tcphdr *tcp;
 	const struct ip6t_tcp *tcpinfo = matchinfo;
+	int tcpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	/* To quote Alan:
 
@@ -1592,6 +1594,24 @@
 		return 0;
 	}
 
+	tcpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	tcpoff = ipv6_skip_exthdr(skb, tcpoff, &nexthdr, skb->len - tcpoff);
+	if (tcpoff < 0 || tcpoff > skb->len) {
+		duprintf("tcp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_TCP ||
+		 skb->len - tcpoff < sizeof(struct tcphdr)) {
+		/* cannot be occured */
+		duprintf("tcp_match: cannot get TCP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	tcp = (struct tcphdr *)(skb->data + tcpoff);
+
 	/* FIXME: Try tcp doff >> packet len against various stacks --RR */
 
 #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
@@ -1642,8 +1662,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	const struct udphdr *udp;
 	const struct ip6t_udp *udpinfo = matchinfo;
+	int udpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	if (offset == 0 && datalen < sizeof(struct udphdr)) {
 		/* We've been asked to examine this packet, and we
@@ -1653,6 +1675,23 @@
 		return 0;
 	}
 
+	udpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	udpoff = ipv6_skip_exthdr(skb, udpoff, &nexthdr, skb->len - udpoff);
+	if (udpoff < 0 || udpoff > skb->len) {
+		duprintf("udp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_UDP ||
+		 skb->len - udpoff < sizeof(struct udphdr)) {
+		duprintf("udp_match: cannot get UDP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	udp = (struct udphdr *)(skb->data + udpoff);
+
 	/* Must not be a fragment. */
 	return !offset
 		&& port_match(udpinfo->spts[0], udpinfo->spts[1],

Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

[David S. Miller]

On Fri, 20 Feb 2004 15:12:17 +0900 (JST)
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> wrote:

> I sent the patch which fixes this bug to netfilter-devel, but it include
> other bug... sorry, I rewrite patch for ip6_tables.c .
> 
> Please don't forget apply the patch which fixes the bug in ipv6_skip_exthdr()
> before you tests this patch. I sent it last few minutes to netdev and
> netfilter-devel.

I have applied this patch too, thanks a lot.

Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

[Yasuyuki Kozakai]

[-- Attachment #1: Type: Text/Plain, Size: 973 bytes --]


Hi,

This patch is for linux 2.4.26-pre1 .

Summery:
tcp_match() and udp_match() in ip6tables.c assume that previous header
of TCP/UDP header is IPv6 Header. So, for example, 1st of fragmented UDP
packet, AHed packets can't correctly match the rules which use
"--sport" and so on.

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>


From: "David S. Miller" <davem@redhat.com>
Date: Fri, 20 Feb 2004 09:31:58 -0800

> On Fri, 20 Feb 2004 15:12:17 +0900 (JST)
> Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> wrote:
> 
> > I sent the patch which fixes this bug to netfilter-devel, but it include
> > other bug... sorry, I rewrite patch for ip6_tables.c .
> > 
> > Please don't forget apply the patch which fixes the bug in ipv6_skip_exthdr()
> > before you tests this patch. I sent it last few minutes to netdev and
> > netfilter-devel.
> 
> I have applied this patch too, thanks a lot.


[-- Attachment #2: linux-2.4.26-pre1-tcpudp.patch --]
[-- Type: Text/Plain, Size: 2743 bytes --]

diff -Nur linux-2.4.26-pre1/net/ipv6/ipv6_syms.c linux-2.4.26-pre1-fixed/net/ipv6/ipv6_syms.c
--- linux-2.4.26-pre1/net/ipv6/ipv6_syms.c	2003-11-29 03:26:21.000000000 +0900
+++ linux-2.4.26-pre1-fixed/net/ipv6/ipv6_syms.c	2004-02-26 11:03:19.000000000 +0900
@@ -33,3 +33,5 @@
 EXPORT_SYMBOL(ipv6_get_saddr);
 EXPORT_SYMBOL(ipv6_chk_addr);
 EXPORT_SYMBOL(in6_dev_finish_destroy);
+EXPORT_SYMBOL(ipv6_skip_exthdr);
+
diff -Nur linux-2.4.26-pre1/net/ipv6/netfilter/ip6_tables.c linux-2.4.26-pre1-fixed/net/ipv6/netfilter/ip6_tables.c
--- linux-2.4.26-pre1/net/ipv6/netfilter/ip6_tables.c	2004-02-18 22:36:32.000000000 +0900
+++ linux-2.4.26-pre1-fixed/net/ipv6/netfilter/ip6_tables.c	2004-02-26 10:45:26.000000000 +0900
@@ -1568,8 +1568,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct tcphdr *tcp = hdr;
+	const struct tcphdr *tcp;
 	const struct ip6t_tcp *tcpinfo = matchinfo;
+	int tcpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	/* To quote Alan:
 
@@ -1590,6 +1592,24 @@
 		return 0;
 	}
 
+	tcpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	tcpoff = ipv6_skip_exthdr(skb, tcpoff, &nexthdr, skb->len - tcpoff);
+	if (tcpoff < 0 || tcpoff > skb->len) {
+		duprintf("tcp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_TCP ||
+		 skb->len - tcpoff < sizeof(struct tcphdr)) {
+		/* cannot be occured */
+		duprintf("tcp_match: cannot get TCP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	tcp = (struct tcphdr *)(skb->data + tcpoff);
+
 	/* FIXME: Try tcp doff >> packet len against various stacks --RR */
 
 #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
@@ -1640,8 +1660,10 @@
 	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	const struct udphdr *udp;
 	const struct ip6t_udp *udpinfo = matchinfo;
+	int udpoff;
+	u8 nexthdr = skb->nh.ipv6h->nexthdr;
 
 	if (offset == 0 && datalen < sizeof(struct udphdr)) {
 		/* We've been asked to examine this packet, and we
@@ -1651,6 +1673,23 @@
 		return 0;
 	}
 
+	udpoff = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+	udpoff = ipv6_skip_exthdr(skb, udpoff, &nexthdr, skb->len - udpoff);
+	if (udpoff < 0 || udpoff > skb->len) {
+		duprintf("udp_match: cannot skip exthdr. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	} else if (nexthdr == IPPROTO_FRAGMENT)
+		return 0;
+	else if (nexthdr != IPPROTO_UDP ||
+		 skb->len - udpoff < sizeof(struct udphdr)) {
+		duprintf("udp_match: cannot get UDP header. Dropping.\n");
+		*hotdrop = 1;
+		return 0;
+	}
+
+	udp = (struct udphdr *)(skb->data + udpoff);
+
 	/* Must not be a fragment. */
 	return !offset
 		&& port_match(udpinfo->spts[0], udpinfo->spts[1],

Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists

[David S. Miller]

On Thu, 26 Feb 2004 13:05:50 +0900 (JST)
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> wrote:

> This patch is for linux 2.4.26-pre1 .
> 
> Summery:
> tcp_match() and udp_match() in ip6tables.c assume that previous header
> of TCP/UDP header is IPv6 Header. So, for example, 1st of fragmented UDP
> packet, AHed packets can't correctly match the rules which use
> "--sport" and so on.

Also applied, thank you.