[PATCH 0/3] netfilter fixes for net

[PATCH 0/3] netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter fixes. They are targeted to the
TCP option targets, that have receive some scrinity in the last week. The
changes are:

* Fix TCPOPTSTRIP, it stopped working in the forward chain as tcp_hdr
  uses skb->transport_header, and we cannot use that in the forwarding
  case, from myself.

* Fix default IPv6 MSS in TCPMSS in case of absence of TCP MSS options,
  from Phil Oester.

* Fix missing fragmentation handling again in TCPMSS, from Phil Oester.

You can pull these changes from:

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Thanks!

----------------------------------------------------------------
The following changes since commit a8241c63517ec0b900695daa9003cddc41c536a1:

  ipvs: info leak in __ip_vs_get_dest_entries() (2013-06-10 14:53:00 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to b396966c4688522863572927cb30aa874b3ec504:

  netfilter: xt_TCPMSS: Fix missing fragmentation handling (2013-06-12 11:06:19 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()

Phil Oester (2):
      netfilter: xt_TCPMSS: Fix IPv6 default MSS too
      netfilter: xt_TCPMSS: Fix missing fragmentation handling

 net/netfilter/xt_TCPMSS.c      |   25 ++++++++++++++++++-------
 net/netfilter/xt_TCPOPTSTRIP.c |    6 ++++--
 2 files changed, 22 insertions(+), 9 deletions(-)

[PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()

[Pablo Neira Ayuso]

In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond
packet boundary), the use of tcp_hdr was introduced. However, we
cannot assume that skb->transport_header is set for non-local packets.

Cc: Florian Westphal <fw@strlen.de>
Reported-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_TCPOPTSTRIP.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 1eb1a44..b68fa19 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
 		return NF_DROP;
 
 	len = skb->len - tcphoff;
-	if (len < (int)sizeof(struct tcphdr) ||
-	    tcp_hdr(skb)->doff * 4 > len)
+	if (len < (int)sizeof(struct tcphdr))
 		return NF_DROP;
 
 	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+	if (tcph->doff * 4 > len)
+		return NF_DROP;
+
 	opt  = (u_int8_t *)tcph;
 
 	/*
-- 
1.7.10.4

[PATCH 2/3] netfilter: xt_TCPMSS: Fix IPv6 default MSS too

[Pablo Neira Ayuso]

From: Phil Oester <kernel@linuxace.com>

As a followup to commit 409b545a ("netfilter: xt_TCPMSS: Fix violation
of RFC879 in absence of MSS option"), John Heffner points out that IPv6
has a higher MTU than IPv4, and thus a higher minimum MSS. Update TCPMSS
target to account for this, and update RFC comment.

While at it, point to more recent reference RFC1122 instead of RFC879.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_TCPMSS.c |   21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index afaebc7..6640a22 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -45,11 +45,12 @@ optlen(const u_int8_t *opt, unsigned int offset)
 
 static int
 tcpmss_mangle_packet(struct sk_buff *skb,
-		     const struct xt_tcpmss_info *info,
+		     const struct xt_action_param *par,
 		     unsigned int in_mtu,
 		     unsigned int tcphoff,
 		     unsigned int minlen)
 {
+	const struct xt_tcpmss_info *info = par->targinfo;
 	struct tcphdr *tcph;
 	unsigned int tcplen, i;
 	__be16 oldval;
@@ -125,11 +126,17 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 
 	skb_put(skb, TCPOLEN_MSS);
 
-	/* RFC 879 states that the default MSS is 536 without specific
-	 * knowledge that the destination host is prepared to accept larger.
-	 * Since no MSS was provided, we MUST NOT set a value > 536.
+	/*
+	 * IPv4: RFC 1122 states "If an MSS option is not received at
+	 * connection setup, TCP MUST assume a default send MSS of 536".
+	 * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum
+	 * length IPv6 header of 60, ergo the default MSS value is 1220
+	 * Since no MSS was provided, we must use the default values
 	 */
-	newmss = min(newmss, (u16)536);
+	if (par->family == NFPROTO_IPV4)
+		newmss = min(newmss, (u16)536);
+	else
+		newmss = min(newmss, (u16)1220);
 
 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
 	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
@@ -188,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	__be16 newlen;
 	int ret;
 
-	ret = tcpmss_mangle_packet(skb, par->targinfo,
+	ret = tcpmss_mangle_packet(skb, par,
 				   tcpmss_reverse_mtu(skb, PF_INET),
 				   iph->ihl * 4,
 				   sizeof(*iph) + sizeof(struct tcphdr));
@@ -217,7 +224,7 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
 	if (tcphoff < 0)
 		return NF_DROP;
-	ret = tcpmss_mangle_packet(skb, par->targinfo,
+	ret = tcpmss_mangle_packet(skb, par,
 				   tcpmss_reverse_mtu(skb, PF_INET6),
 				   tcphoff,
 				   sizeof(*ipv6h) + sizeof(struct tcphdr));
-- 
1.7.10.4

[PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling

[Pablo Neira Ayuso]

From: Phil Oester <kernel@linuxace.com>

Similar to commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix
possible mangling beyond packet boundary"), add safe fragment
handling to xt_TCPMSS.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_TCPMSS.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 6640a22..7011c71 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -57,6 +57,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 	u16 newmss;
 	u8 *opt;
 
+	/* This is a fragment, no TCP header is available */
+	if (par->fragoff != 0)
+		return XT_CONTINUE;
+
 	if (!skb_make_writable(skb, skb->len))
 		return -1;
 
-- 
1.7.10.4

Re: [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()

[Julian Anastasov]

	Hello,

On Mon, 17 Jun 2013, Pablo Neira Ayuso wrote:

> In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond
> packet boundary), the use of tcp_hdr was introduced. However, we
> cannot assume that skb->transport_header is set for non-local packets.

	It is hidden also in tcp_hdrlen() which is used here.

> Cc: Florian Westphal <fw@strlen.de>
> Reported-by: Phil Oester <kernel@linuxace.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/xt_TCPOPTSTRIP.c |    6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
> index 1eb1a44..b68fa19 100644
> --- a/net/netfilter/xt_TCPOPTSTRIP.c
> +++ b/net/netfilter/xt_TCPOPTSTRIP.c
> @@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
>  		return NF_DROP;
>  
>  	len = skb->len - tcphoff;
> -	if (len < (int)sizeof(struct tcphdr) ||
> -	    tcp_hdr(skb)->doff * 4 > len)
> +	if (len < (int)sizeof(struct tcphdr))
>  		return NF_DROP;
>  
>  	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
> +	if (tcph->doff * 4 > len)

	We can save tcph->doff * 4 in a var and use it
instead of tcp_hdrlen.

	BTW, optlen() touches opt[offset+1] unsafely
when i == tcp_hdrlen(skb) - 1.

> +		return NF_DROP;
> +
>  	opt  = (u_int8_t *)tcph;
>  
>  	/*
> -- 
> 1.7.10.4

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling

[Julian Anastasov]

	Hello,

On Mon, 17 Jun 2013, Pablo Neira Ayuso wrote:

> From: Phil Oester <kernel@linuxace.com>
> 
> Similar to commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix
> possible mangling beyond packet boundary"), add safe fragment
> handling to xt_TCPMSS.
> 
> Signed-off-by: Phil Oester <kernel@linuxace.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/xt_TCPMSS.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index 6640a22..7011c71 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -57,6 +57,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>  	u16 newmss;
>  	u8 *opt;
>  
> +	/* This is a fragment, no TCP header is available */
> +	if (par->fragoff != 0)
> +		return XT_CONTINUE;
> +
>  	if (!skb_make_writable(skb, skb->len))
>  		return -1;

	This function needs the same check:

	...

+	if (tcplen < (int)sizeof(struct tcphdr))
+		return -1;
+
	/* Header cannot be larger than the packet */
	if (tcplen < tcph->doff*4)
		return -1;

	but 'tcplen' should be changed to 'int' for
this to work.

	Here we have the same optlen() problem but
I guess in both patches we always have something allocated
after the last byte in header (struct skb_shared_inf),
so crash is not possible.

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [PATCH 0/3] netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 17 Jun 2013 21:34:36 +0200

> The following patchset contains Netfilter fixes. They are targeted to the
> TCP option targets, that have receive some scrinity in the last week. The
> changes are:
> 
> * Fix TCPOPTSTRIP, it stopped working in the forward chain as tcp_hdr
>   uses skb->transport_header, and we cannot use that in the forwarding
>   case, from myself.
> 
> * Fix default IPv6 MSS in TCPMSS in case of absence of TCP MSS options,
>   from Phil Oester.
> 
> * Fix missing fragmentation handling again in TCPMSS, from Phil Oester.
> 
> You can pull these changes from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Pulled, thanks Pablo.