From: kbuild test robot <lkp@intel.com>
To: Zhouyi Zhou <zhouzhouyi@gmail.com>
Cc: kbuild-all@01.org, pablo@netfilter.org, kaber@trash.net,
kadlec@blackhole.kfki.hu, davem@davemloft.net,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Zhouyi Zhou <yizhouzhou@ict.ac.cn>,
Zhouyi Zhou <zhouzhouyi@gmail.com>
Subject: Re: [PATCH 1/1] netfilter: h323: avoid potential attack
Date: Wed, 27 Jan 2016 23:06:27 +0800 [thread overview]
Message-ID: <201601272338.CDMcH7dg%fengguang.wu@intel.com> (raw)
In-Reply-To: <1453905646-6446-1-git-send-email-zhouzhouyi@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 6526 bytes --]
Hi Zhouyi,
[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.5-rc1 next-20160127]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Zhouyi-Zhou/netfilter-h323-avoid-potential-attack/20160127-225253
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master
config: x86_64-randconfig-x016-01270835 (attached as .config)
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All error/warnings (new ones prefixed by >>):
net/netfilter/nf_conntrack_h323_main.c: In function 'get_h245_addr':
>> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *')
if (((p - h323_buffer) + n) > 65536) \
^
>> net/netfilter/nf_conntrack_h323_main.c:254:2: note: in expansion of macro 'CHECK_BOUND'
CHECK_BOUND(p, len);
^
net/netfilter/nf_conntrack_h323_main.c: In function 'get_h225_addr':
>> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *')
if (((p - h323_buffer) + n) > 65536) \
^
net/netfilter/nf_conntrack_h323_main.c:678:2: note: in expansion of macro 'CHECK_BOUND'
CHECK_BOUND(p, len);
^
vim +114 net/netfilter/nf_conntrack_h323_main.c
108 __be16 port, struct nf_conntrack_expect *exp)
109 __read_mostly;
110
111 static DEFINE_SPINLOCK(nf_h323_lock);
112 static char *h323_buffer;
113 #define CHECK_BOUND(p, n) do { \
> 114 if (((p - h323_buffer) + n) > 65536) \
115 return 0; \
116 } while (0)
117
118 static struct nf_conntrack_helper nf_conntrack_helper_h245;
119 static struct nf_conntrack_helper nf_conntrack_helper_q931[];
120 static struct nf_conntrack_helper nf_conntrack_helper_ras[];
121
122 /****************************************************************************/
123 static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
124 struct nf_conn *ct, enum ip_conntrack_info ctinfo,
125 unsigned char **data, int *datalen, int *dataoff)
126 {
127 struct nf_ct_h323_master *info = nfct_help_data(ct);
128 int dir = CTINFO2DIR(ctinfo);
129 const struct tcphdr *th;
130 struct tcphdr _tcph;
131 int tcpdatalen;
132 int tcpdataoff;
133 unsigned char *tpkt;
134 int tpktlen;
135 int tpktoff;
136
137 /* Get TCP header */
138 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
139 if (th == NULL)
140 return 0;
141
142 /* Get TCP data offset */
143 tcpdataoff = protoff + th->doff * 4;
144
145 /* Get TCP data length */
146 tcpdatalen = skb->len - tcpdataoff;
147 if (tcpdatalen <= 0) /* No TCP data */
148 goto clear_out;
149
150 if (*data == NULL) { /* first TPKT */
151 /* Get first TPKT pointer */
152 tpkt = skb_header_pointer(skb, tcpdataoff, tcpdatalen,
153 h323_buffer);
154 BUG_ON(tpkt == NULL);
155
156 /* Validate TPKT identifier */
157 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
158 /* Netmeeting sends TPKT header and data separately */
159 if (info->tpkt_len[dir] > 0) {
160 pr_debug("nf_ct_h323: previous packet "
161 "indicated separate TPKT data of %hu "
162 "bytes\n", info->tpkt_len[dir]);
163 if (info->tpkt_len[dir] <= tcpdatalen) {
164 /* Yes, there was a TPKT header
165 * received */
166 *data = tpkt;
167 *datalen = info->tpkt_len[dir];
168 *dataoff = 0;
169 goto out;
170 }
171
172 /* Fragmented TPKT */
173 pr_debug("nf_ct_h323: fragmented TPKT\n");
174 goto clear_out;
175 }
176
177 /* It is not even a TPKT */
178 return 0;
179 }
180 tpktoff = 0;
181 } else { /* Next TPKT */
182 tpktoff = *dataoff + *datalen;
183 tcpdatalen -= tpktoff;
184 if (tcpdatalen <= 4) /* No more TPKT */
185 goto clear_out;
186 tpkt = *data + *datalen;
187
188 /* Validate TPKT identifier */
189 if (tpkt[0] != 0x03 || tpkt[1] != 0)
190 goto clear_out;
191 }
192
193 /* Validate TPKT length */
194 tpktlen = tpkt[2] * 256 + tpkt[3];
195 if (tpktlen < 4)
196 goto clear_out;
197 if (tpktlen > tcpdatalen) {
198 if (tcpdatalen == 4) { /* Separate TPKT header */
199 /* Netmeeting sends TPKT header and data separately */
200 pr_debug("nf_ct_h323: separate TPKT header indicates "
201 "there will be TPKT data of %hu bytes\n",
202 tpktlen - 4);
203 info->tpkt_len[dir] = tpktlen - 4;
204 return 0;
205 }
206
207 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
208 goto clear_out;
209 }
210
211 /* This is the encapsulated data */
212 *data = tpkt + 4;
213 *datalen = tpktlen - 4;
214 *dataoff = tpktoff + 4;
215
216 out:
217 /* Clear TPKT length */
218 info->tpkt_len[dir] = 0;
219 return 1;
220
221 clear_out:
222 info->tpkt_len[dir] = 0;
223 return 0;
224 }
225
226 /****************************************************************************/
227 static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
228 H245_TransportAddress *taddr,
229 union nf_inet_addr *addr, __be16 *port)
230 {
231 const unsigned char *p;
232 int len;
233
234 if (taddr->choice != eH245_TransportAddress_unicastAddress)
235 return 0;
236
237 switch (taddr->unicastAddress.choice) {
238 case eUnicastAddress_iPAddress:
239 if (nf_ct_l3num(ct) != AF_INET)
240 return 0;
241 p = data + taddr->unicastAddress.iPAddress.network;
242 len = 4;
243 break;
244 case eUnicastAddress_iP6Address:
245 if (nf_ct_l3num(ct) != AF_INET6)
246 return 0;
247 p = data + taddr->unicastAddress.iP6Address.network;
248 len = 16;
249 break;
250 default:
251 return 0;
252 }
253
> 254 CHECK_BOUND(p, len);
255
256 memcpy(addr, p, len);
257 memset((void *)addr + len, 0, sizeof(*addr) - len);
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 18860 bytes --]
next prev parent reply other threads:[~2016-01-27 15:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-27 14:40 [PATCH 1/1] netfilter: h323: avoid potential attack Zhouyi Zhou
2016-01-27 15:06 ` kbuild test robot [this message]
2016-01-27 15:57 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201601272338.CDMcH7dg%fengguang.wu@intel.com \
--to=lkp@intel.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kbuild-all@01.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=yizhouzhou@ict.ac.cn \
--cc=zhouzhouyi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox