* [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports
@ 2016-05-25 9:13 Pablo Neira Ayuso
2016-05-30 10:25 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-05-25 9:13 UTC (permalink / raw)
To: netfilter-devel
Compare the helper name up to the dash, so we can catch if the user has
supplied duplicated ports via module parameters.
Reported-by: Feng Gao <gfree.wind@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_helper.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 3b40ec5..94f36f2 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -361,9 +361,10 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_log);
int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
{
- int ret = 0;
struct nf_conntrack_helper *cur;
unsigned int h = helper_hash(&me->tuple);
+ const char *slash;
+ int len, ret = 0;
BUG_ON(me->expect_policy == NULL);
BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
@@ -371,7 +372,13 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
mutex_lock(&nf_ct_helper_mutex);
hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
- if (strncmp(cur->name, me->name, NF_CT_HELPER_NAME_LEN) == 0 &&
+ slash = strchr(cur->name, '-');
+ if (slash)
+ len = slash - cur->name;
+ else
+ len = NF_CT_HELPER_NAME_LEN;
+
+ if (strncmp(cur->name, me->name, len) == 0 &&
cur->tuple.src.l3num == me->tuple.src.l3num &&
cur->tuple.dst.protonum == me->tuple.dst.protonum) {
ret = -EEXIST;
--
2.1.4
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports
2016-05-25 9:13 [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports Pablo Neira Ayuso
@ 2016-05-30 10:25 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-05-30 10:25 UTC (permalink / raw)
To: netfilter-devel
On Wed, May 25, 2016 at 11:13:57AM +0200, Pablo Neira Ayuso wrote:
> Compare the helper name up to the dash, so we can catch if the user has
> supplied duplicated ports via module parameters.
>
> Reported-by: Feng Gao <gfree.wind@gmail.com>
> Reported-by: Taehee Yoo <ap420073@gmail.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/nf_conntrack_helper.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
> index 3b40ec5..94f36f2 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfilter/nf_conntrack_helper.c
> @@ -361,9 +361,10 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_log);
>
> int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
> {
> - int ret = 0;
> struct nf_conntrack_helper *cur;
> unsigned int h = helper_hash(&me->tuple);
> + const char *slash;
> + int len, ret = 0;
>
> BUG_ON(me->expect_policy == NULL);
> BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
> @@ -371,7 +372,13 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
>
> mutex_lock(&nf_ct_helper_mutex);
> hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
> - if (strncmp(cur->name, me->name, NF_CT_HELPER_NAME_LEN) == 0 &&
> + slash = strchr(cur->name, '-');
I'm discarding this, we have a valid helper using dash in the name.
net/netfilter/nf_conntrack_netbios_ns.c: .name = "netbios-ns",
Will send a new version of this patch.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-30 10:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-25 9:13 [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports Pablo Neira Ayuso
2016-05-30 10:25 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).