* [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr
@ 2004-08-26 11:35 Olaf Kirch
2004-08-26 11:56 ` YOSHIFUJI Hideaki / 吉藤英明
2004-08-26 21:10 ` David S. Miller
0 siblings, 2 replies; 3+ messages in thread
From: Olaf Kirch @ 2004-08-26 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev
[-- Attachment #1: Type: text/plain, Size: 864 bytes --]
Hi,
We just ran into a kernel oops after enabling ipv6 packet filtering.
The machine would choke on the IGMPv6 packets sent out when the
interface is taken up. The reason is this code:
/*stupid rfc2402 */
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_HOPOPTS:
nexthdr = **hdrptr;
hdrlen = *hdrptr[1] * 8 + 8;
^^^^^^^^^^ it dies here
*hdrptr = *hdrptr + hdrlen;
break;
hdrptr is a u_int8_t **. What you really want to do here is
look at (*hdrptr)[1], but what the expression does is look at
*(hdrptr[1]). Unfortunately, hdrptr[1] is usually random garbage.
The attached patch fixes this.
Olaf
--
Olaf Kirch | The Hardware Gods hate me.
okir@suse.de |
---------------+
[-- Attachment #2: netfilter6-logging --]
[-- Type: text/plain, Size: 869 bytes --]
Prevent oopses when logging IGMPv6 packets and similar.
Index: linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c
@@ -55,7 +55,7 @@ static u_int8_t ip6_nexthdr(u_int8_t cur
repeatedly...with a large stick...no, an even LARGER
stick...no, you're still not thinking big enough */
nexthdr = **hdrptr;
- hdrlen = *hdrptr[1] * 4 + 8;
+ hdrlen = (*hdrptr)[1] * 4 + 8;
*hdrptr = *hdrptr + hdrlen;
break;
/*stupid rfc2402 */
@@ -63,7 +63,7 @@ static u_int8_t ip6_nexthdr(u_int8_t cur
case IPPROTO_ROUTING:
case IPPROTO_HOPOPTS:
nexthdr = **hdrptr;
- hdrlen = *hdrptr[1] * 8 + 8;
+ hdrlen = (*hdrptr)[1] * 8 + 8;
*hdrptr = *hdrptr + hdrlen;
break;
case IPPROTO_FRAGMENT:
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr
2004-08-26 11:35 [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr Olaf Kirch
@ 2004-08-26 11:56 ` YOSHIFUJI Hideaki / 吉藤英明
2004-08-26 21:10 ` David S. Miller
1 sibling, 0 replies; 3+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2004-08-26 11:56 UTC (permalink / raw)
To: okir, netdev; +Cc: netfilter-devel
In article <20040826113538.GE15409@suse.de> (at Thu, 26 Aug 2004 13:35:39 +0200), Olaf Kirch <okir@suse.de> says:
> hdrlen = *hdrptr[1] * 8 + 8;
> ^^^^^^^^^^ it dies here
> *hdrptr = *hdrptr + hdrlen;
> break;
>
> hdrptr is a u_int8_t **. What you really want to do here is
> look at (*hdrptr)[1], but what the expression does is look at
> *(hdrptr[1]). Unfortunately, hdrptr[1] is usually random garbage.
Agreed. Same bug also lives in 2.4.x.
--yoshfuji
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr
2004-08-26 11:35 [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr Olaf Kirch
2004-08-26 11:56 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2004-08-26 21:10 ` David S. Miller
1 sibling, 0 replies; 3+ messages in thread
From: David S. Miller @ 2004-08-26 21:10 UTC (permalink / raw)
To: Olaf Kirch; +Cc: netdev, netfilter-devel
On Thu, 26 Aug 2004 13:35:39 +0200
Olaf Kirch <okir@suse.de> wrote:
> hdrptr is a u_int8_t **. What you really want to do here is
> look at (*hdrptr)[1], but what the expression does is look at
> *(hdrptr[1]). Unfortunately, hdrptr[1] is usually random garbage.
Good catch, patch applied (to 2.4.x too).
Thanks Olaf.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-08-26 21:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-26 11:35 [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr Olaf Kirch
2004-08-26 11:56 ` YOSHIFUJI Hideaki / 吉藤英明
2004-08-26 21:10 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).