[NETFILTER 00/03]: Netfilter fixes

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few more netfilter fixes for 2.6.20, fixing a division
by zero in the connbytes match (I will pass this one on to -stable as
well) and two problems with the SIP conntrack helper.

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_sip.c |   10 ++++++++--
 net/netfilter/nf_conntrack_sip.c      |   10 ++++++++--
 net/netfilter/xt_connbytes.c          |   29 ++++++++++++-----------------
 3 files changed, 28 insertions(+), 21 deletions(-)

Lars Immisch:
      [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers

Patrick McHardy:
      [NETFILTER]: xt_connbytes: fix division by zero
      [NETFILTER]: SIP conntrack: fix out of bounds memory access

[NETFILTER 01/03]: xt_connbytes: fix division by zero

[Patrick McHardy]

[NETFILTER]: xt_connbytes: fix division by zero

When the packet counter of a connection is zero a division by zero
occurs in div64_64(). Fix that by using zero as average value, which
is correct as long as the packet counter didn't overflow, at which
point we have lost anyway.

Additionally we're probably going to go back to 64 bit counters
in 2.6.21.

Based on patch from Jonas Berlin <xkr47@outerspace.dyndns.org>,
with suggestions from KOVACS Krisztian <hidden@balabit.hu>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 0893450b69979cc8ee6ef9335bdef4f442f21e8e
tree 4dd285255056ce84002e77f9cde926f26c6aefff
parent 9999a622b03b44e395c8388ff9ab99f99726dce0
author Patrick McHardy <kaber@trash.net> Fri, 26 Jan 2007 18:22:35 +0100
committer Patrick McHardy <kaber@trash.net> Sun, 28 Jan 2007 00:25:03 +0100

 net/netfilter/xt_connbytes.c |   29 ++++++++++++-----------------
 1 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index d93cb09..5e32dfa 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -52,6 +52,8 @@ match(const struct sk_buff *skb,
 {
 	const struct xt_connbytes_info *sinfo = matchinfo;
 	u_int64_t what = 0;	/* initialize to make gcc happy */
+	u_int64_t bytes = 0;
+	u_int64_t pkts = 0;
 	const struct ip_conntrack_counter *counters;
 
 	if (!(counters = nf_ct_get_counters(skb)))
@@ -89,29 +91,22 @@ match(const struct sk_buff *skb,
 	case XT_CONNBYTES_AVGPKT:
 		switch (sinfo->direction) {
 		case XT_CONNBYTES_DIR_ORIGINAL:
-			what = div64_64(counters[IP_CT_DIR_ORIGINAL].bytes,
-					counters[IP_CT_DIR_ORIGINAL].packets);
+			bytes = counters[IP_CT_DIR_ORIGINAL].bytes;
+			pkts  = counters[IP_CT_DIR_ORIGINAL].packets;
 			break;
 		case XT_CONNBYTES_DIR_REPLY:
-			what = div64_64(counters[IP_CT_DIR_REPLY].bytes,
-					counters[IP_CT_DIR_REPLY].packets);
+			bytes = counters[IP_CT_DIR_REPLY].bytes;
+			pkts  = counters[IP_CT_DIR_REPLY].packets;
 			break;
 		case XT_CONNBYTES_DIR_BOTH:
-			{
-				u_int64_t bytes;
-				u_int64_t pkts;
-				bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
-					counters[IP_CT_DIR_REPLY].bytes;
-				pkts = counters[IP_CT_DIR_ORIGINAL].packets+
-					counters[IP_CT_DIR_REPLY].packets;
-
-				/* FIXME_THEORETICAL: what to do if sum
-				 * overflows ? */
-
-				what = div64_64(bytes, pkts);
-			}
+			bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
+				counters[IP_CT_DIR_REPLY].bytes;
+			pkts  = counters[IP_CT_DIR_ORIGINAL].packets +
+				counters[IP_CT_DIR_REPLY].packets;
 			break;
 		}
+		if (pkts != 0)
+			what = div64_64(bytes, pkts);
 		break;
 	}
 

[NETFILTER 02/03]: SIP conntrack: fix skipping over user info in SIP headers

[Patrick McHardy]

[NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers

When trying to skip over the username in the Contact header, stop at the
end of the line if no @ is found to avoid mangling following headers.
We don't need to worry about continuation lines because we search inside
a SIP URI.

Fixes Netfilter Bugzilla #532.

Signed-off-by: Lars Immisch <lars@ibp.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b54e6be6e7cc6a9dc5ec5d8876a9d04b552795e5
tree f0addf22cec7621ab515b918cab5b32df2e1b1e4
parent 0893450b69979cc8ee6ef9335bdef4f442f21e8e
author Lars Immisch <lars@ibp.de> Sun, 28 Jan 2007 00:29:58 +0100
committer Patrick McHardy <kaber@trash.net> Sun, 28 Jan 2007 00:29:58 +0100

 net/ipv4/netfilter/ip_conntrack_sip.c |    8 +++++++-
 net/netfilter/nf_conntrack_sip.c      |    8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 3a26d63..571d27e 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -283,8 +283,14 @@ static int skp_epaddr_len(const char *dp
 {
 	int s = *shift;
 
-	for (; dptr <= limit && *dptr != '@'; dptr++)
+	/* Search for @, but stop at the end of the line.
+	 * We are inside a sip: URI, so we don't need to worry about
+	 * continuation lines. */
+	while (dptr <= limit &&
+	       *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 		(*shift)++;
+		dptr++;
+	}
 
 	if (*dptr == '@') {
 		dptr++;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index eb2a241..c93fb37 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -303,8 +303,14 @@ static int skp_epaddr_len(struct nf_conn
 {
 	int s = *shift;
 
-	for (; dptr <= limit && *dptr != '@'; dptr++)
+	/* Search for @, but stop at the end of the line.
+	 * We are inside a sip: URI, so we don't need to worry about
+	 * continuation lines. */
+	while (dptr <= limit &&
+	       *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 		(*shift)++;
+		dptr++;
+	}
 
 	if (*dptr == '@') {
 		dptr++;

[NETFILTER 03/03]: SIP conntrack: fix out of bounds memory access

[Patrick McHardy]

[NETFILTER]: SIP conntrack: fix out of bounds memory access

When checking for an @-sign in skp_epaddr_len, make sure not to
run over the packet boundaries.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9c13a2e187957e0656eb458ca1251bd1b79aebaa
tree 327ef498d7b592cf4e90c2ea5b38c0e8c0cab1d9
parent b54e6be6e7cc6a9dc5ec5d8876a9d04b552795e5
author Patrick McHardy <kaber@trash.net> Sun, 28 Jan 2007 00:33:53 +0100
committer Patrick McHardy <kaber@trash.net> Sun, 28 Jan 2007 00:33:53 +0100

 net/ipv4/netfilter/ip_conntrack_sip.c |    2 +-
 net/netfilter/nf_conntrack_sip.c      |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 571d27e..11c588a 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dp
 		dptr++;
 	}
 
-	if (*dptr == '@') {
+	if (dptr <= limit && *dptr == '@') {
 		dptr++;
 		(*shift)++;
 	} else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c93fb37..9dec115 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn
 		dptr++;
 	}
 
-	if (*dptr == '@') {
+	if (dptr <= limit && *dptr == '@') {
 		dptr++;
 		(*shift)++;
 	} else

Re: [NETFILTER 01/03]: xt_connbytes: fix division by zero

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:28 +0100 (MET)

> [NETFILTER]: xt_connbytes: fix division by zero
> 
> When the packet counter of a connection is zero a division by zero
> occurs in div64_64(). Fix that by using zero as average value, which
> is correct as long as the packet counter didn't overflow, at which
> point we have lost anyway.
> 
> Additionally we're probably going to go back to 64 bit counters
> in 2.6.21.
> 
> Based on patch from Jonas Berlin <xkr47@outerspace.dyndns.org>,
> with suggestions from KOVACS Krisztian <hidden@balabit.hu>.
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 02/03]: SIP conntrack: fix skipping over user info in SIP headers

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:30 +0100 (MET)

> [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers
> 
> When trying to skip over the username in the Contact header, stop at the
> end of the line if no @ is found to avoid mangling following headers.
> We don't need to worry about continuation lines because we search inside
> a SIP URI.
> 
> Fixes Netfilter Bugzilla #532.
> 
> Signed-off-by: Lars Immisch <lars@ibp.de>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 03/03]: SIP conntrack: fix out of bounds memory access

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:31 +0100 (MET)

> [NETFILTER]: SIP conntrack: fix out of bounds memory access
> 
> When checking for an @-sign in skp_epaddr_len, make sure not to
> run over the packet boundaries.
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:27 +0100 (MET)

> Hi Dave,
> 
> following are a few more netfilter fixes for 2.6.20, fixing a division
> by zero in the connbytes match (I will pass this one on to -stable as
> well) and two problems with the SIP conntrack helper.
> 
> Please apply, thanks.

I sucked these all in, please push that one to -stable, thanks.