* [PATCH 0/2] netfilter fixes for net
@ 2012-11-22 9:10 pablo
2012-11-22 9:10 ` [PATCH 1/2] netfilter: ipset: Fix range bug in hash:ip,port,net pablo
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: pablo @ 2012-11-22 9:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset contains two Netfilter fixes:
* Fix buffer overflow in the name of the timeout policy object
in the cttimeout infrastructure, from Florian Westphal.
* Fix a bug in the hash set in case that IP ranges are
specified, from Jozsef Kadlecsik.
You can pull these changes from:
git://1984.lsi.us.es/nf master
Thanks!
Florian Westphal (1):
netfilter: cttimeout: fix buffer overflow
Jozsef Kadlecsik (1):
netfilter: ipset: Fix range bug in hash:ip,port,net
net/netfilter/ipset/ip_set_hash_ip.c | 4 ++--
net/netfilter/ipset/ip_set_hash_ipport.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportip.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 7 +++++--
net/netfilter/nfnetlink_cttimeout.c | 3 ++-
5 files changed, 15 insertions(+), 13 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] netfilter: ipset: Fix range bug in hash:ip,port,net
2012-11-22 9:10 [PATCH 0/2] netfilter fixes for net pablo
@ 2012-11-22 9:10 ` pablo
2012-11-22 9:10 ` [PATCH 2/2] netfilter: cttimeout: fix buffer overflow pablo
2012-11-22 20:28 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: pablo @ 2012-11-22 9:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was the object, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.
The error-prone default initialization is corrected in all hash:* types.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ip.c | 4 ++--
net/netfilter/ipset/ip_set_hash_ipport.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportip.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 7 +++++--
4 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index ec3dba5..5c0b785 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -173,6 +173,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
return adtfn(set, &nip, timeout, flags);
}
+ ip_to = ip;
if (tb[IPSET_ATTR_IP_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
if (ret)
@@ -185,8 +186,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (!cidr || cidr > 32)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
- } else
- ip_to = ip;
+ }
hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 0171f75..6283351 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -162,7 +162,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
const struct ip_set_hash *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipport4_elem data = { };
- u32 ip, ip_to = 0, p = 0, port, port_to;
+ u32 ip, ip_to, p = 0, port, port_to;
u32 timeout = h->timeout;
bool with_ports = false;
int ret;
@@ -210,7 +210,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
return ip_set_eexist(ret, flags) ? 0 : ret;
}
- ip = ntohl(data.ip);
+ ip_to = ip = ntohl(data.ip);
if (tb[IPSET_ATTR_IP_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
if (ret)
@@ -223,8 +223,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (!cidr || cidr > 32)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
- } else
- ip_to = ip;
+ }
port_to = port = ntohs(data.port);
if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 6344ef5..6a21271 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -166,7 +166,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
const struct ip_set_hash *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportip4_elem data = { };
- u32 ip, ip_to = 0, p = 0, port, port_to;
+ u32 ip, ip_to, p = 0, port, port_to;
u32 timeout = h->timeout;
bool with_ports = false;
int ret;
@@ -218,7 +218,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
return ip_set_eexist(ret, flags) ? 0 : ret;
}
- ip = ntohl(data.ip);
+ ip_to = ip = ntohl(data.ip);
if (tb[IPSET_ATTR_IP_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
if (ret)
@@ -231,8 +231,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (!cidr || cidr > 32)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
- } else
- ip_to = ip;
+ }
port_to = port = ntohs(data.port);
if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index cb71f9a..2d5cd4e 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -215,8 +215,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
const struct ip_set_hash *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet4_elem data = { .cidr = HOST_MASK - 1 };
- u32 ip, ip_to = 0, p = 0, port, port_to;
- u32 ip2_from = 0, ip2_to, ip2_last, ip2;
+ u32 ip, ip_to, p = 0, port, port_to;
+ u32 ip2_from, ip2_to, ip2_last, ip2;
u32 timeout = h->timeout;
bool with_ports = false;
u8 cidr;
@@ -286,6 +286,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
return ip_set_eexist(ret, flags) ? 0 : ret;
}
+ ip_to = ip;
if (tb[IPSET_ATTR_IP_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
if (ret)
@@ -306,6 +307,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (port > port_to)
swap(port, port_to);
}
+
+ ip2_to = ip2_from;
if (tb[IPSET_ATTR_IP2_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
if (ret)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: cttimeout: fix buffer overflow
2012-11-22 9:10 [PATCH 0/2] netfilter fixes for net pablo
2012-11-22 9:10 ` [PATCH 1/2] netfilter: ipset: Fix range bug in hash:ip,port,net pablo
@ 2012-11-22 9:10 ` pablo
2012-11-22 20:28 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: pablo @ 2012-11-22 9:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
Chen Gang reports:
the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.
And indeed, its used to strcpy to a fixed-sized buffer.
Fortunately, nfnetlink users need CAP_NET_ADMIN.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_cttimeout.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 8847b4d..701c88a 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu
static LIST_HEAD(cttimeout_list);
static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
- [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING },
+ [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING,
+ .len = CTNL_TIMEOUT_NAME_MAX - 1},
[CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 },
[CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 },
[CTA_TIMEOUT_DATA] = { .type = NLA_NESTED },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2012-11-22 9:10 [PATCH 0/2] netfilter fixes for net pablo
2012-11-22 9:10 ` [PATCH 1/2] netfilter: ipset: Fix range bug in hash:ip,port,net pablo
2012-11-22 9:10 ` [PATCH 2/2] netfilter: cttimeout: fix buffer overflow pablo
@ 2012-11-22 20:28 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2012-11-22 20:28 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Thu, 22 Nov 2012 10:10:50 +0100
> The following patchset contains two Netfilter fixes:
>
> * Fix buffer overflow in the name of the timeout policy object
> in the cttimeout infrastructure, from Florian Westphal.
>
> * Fix a bug in the hash set in case that IP ranges are
> specified, from Jozsef Kadlecsik.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-11-22 20:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-22 9:10 [PATCH 0/2] netfilter fixes for net pablo
2012-11-22 9:10 ` [PATCH 1/2] netfilter: ipset: Fix range bug in hash:ip,port,net pablo
2012-11-22 9:10 ` [PATCH 2/2] netfilter: cttimeout: fix buffer overflow pablo
2012-11-22 20:28 ` [PATCH 0/2] netfilter fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).