[PATCH] netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (v3)

[PATCH] netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (v3)

[Andrey Vagin]

"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
case it can contain all extensions. Bellow you can find sizes for all
types of extensions. Their sum is definitely bigger than 256.

nf_ct_ext_types[0]->len = 24
nf_ct_ext_types[1]->len = 32
nf_ct_ext_types[2]->len = 24
nf_ct_ext_types[3]->len = 32
nf_ct_ext_types[4]->len = 152
nf_ct_ext_types[5]->len = 2
nf_ct_ext_types[6]->len = 16
nf_ct_ext_types[7]->len = 8

I have seen "len" up to 280 and my host has crashes w/o this patch.

The right way to fix this problem is reducing the size of the ecache
extension (4) and Florian is going to do this, but these changes will
be quite large to be appropriate for a stable tree.

v2: rearrange the extension so ECACHE comes last. This is required to
prevent overflow of nf_ct_ext->offset.
v3: The previous attempt of rearranging constants doesn't work here,
because extensions may be added in a random order.

Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
---
 include/net/netfilter/nf_conntrack_extend.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 956b175..55d1504 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
 	struct rcu_head rcu;
-	u8 offset[NF_CT_EXT_NUM];
-	u8 len;
+	u16 offset[NF_CT_EXT_NUM];
+	u16 len;
 	char data[0];
 };
 
-- 
1.8.5.3

Re: [PATCH] netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (v3)

[Pablo Neira Ayuso]

On Fri, Mar 28, 2014 at 01:54:32PM +0400, Andrey Vagin wrote:
> "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
> case it can contain all extensions. Bellow you can find sizes for all
> types of extensions. Their sum is definitely bigger than 256.
> 
> nf_ct_ext_types[0]->len = 24
> nf_ct_ext_types[1]->len = 32
> nf_ct_ext_types[2]->len = 24
> nf_ct_ext_types[3]->len = 32
> nf_ct_ext_types[4]->len = 152
> nf_ct_ext_types[5]->len = 2
> nf_ct_ext_types[6]->len = 16
> nf_ct_ext_types[7]->len = 8
> 
> I have seen "len" up to 280 and my host has crashes w/o this patch.
> 
> The right way to fix this problem is reducing the size of the ecache
> extension (4) and Florian is going to do this, but these changes will
> be quite large to be appropriate for a stable tree.
> 
> v2: rearrange the extension so ECACHE comes last. This is required to
> prevent overflow of nf_ct_ext->offset.
> v3: The previous attempt of rearranging constants doesn't work here,
> because extensions may be added in a random order.

Applied, thanks.