[patch] netfilter: default to NF_DROP in sip_help_tcp()

[patch] netfilter: default to NF_DROP in sip_help_tcp()

[Simon Horman]

I initially noticed this because of the compiler warning below, but it does
seem to be a valid concern in the case where ct_sip_get_header() returns 0
in the first iteration of the while loop.

net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function

Signed-off-by: Simon Horman <horms@verge.net.au>

Index: nf-next-2.6/net/netfilter/nf_conntrack_sip.c
===================================================================
--- nf-next-2.6.orig/net/netfilter/nf_conntrack_sip.c	2010-07-10 12:11:52.000000000 +0900
+++ nf-next-2.6/net/netfilter/nf_conntrack_sip.c	2010-07-10 12:11:57.000000000 +0900
@@ -1376,7 +1376,7 @@ static int sip_help_tcp(struct sk_buff *
 	unsigned int msglen, origlen;
 	const char *dptr, *end;
 	s16 diff, tdiff = 0;
-	int ret;
+	int ret = NF_DROP;
 	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
 	if (ctinfo != IP_CT_ESTABLISHED &&

Re: [patch] netfilter: default to NF_DROP in sip_help_tcp()

[Patrick McHardy]

On 10.07.2010 05:16, Simon Horman wrote:
> I initially noticed this because of the compiler warning below, but it does
> seem to be a valid concern in the case where ct_sip_get_header() returns 0
> in the first iteration of the while loop.
> 
> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function

Thanks Simon. I've applied the patch, but changed NF_DROP to
NF_ACCEPT since we should avoid dropping packets with unknown
contents (not SIP) if possible.

Re: [patch] netfilter: default to NF_DROP in sip_help_tcp()

[Simon Horman]

On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> On 10.07.2010 05:16, Simon Horman wrote:
> > I initially noticed this because of the compiler warning below, but it does
> > seem to be a valid concern in the case where ct_sip_get_header() returns 0
> > in the first iteration of the while loop.
> > 
> > net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> > net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> 
> Thanks Simon. I've applied the patch, but changed NF_DROP to
> NF_ACCEPT since we should avoid dropping packets with unknown
> contents (not SIP) if possible.

Thanks, to be honest I was a bit unsure of what policy was best.

Re: [patch] netfilter: default to NF_DROP in sip_help_tcp()

[Simon Horman]

On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> On 10.07.2010 05:16, Simon Horman wrote:
> > I initially noticed this because of the compiler warning below, but it does
> > seem to be a valid concern in the case where ct_sip_get_header() returns 0
> > in the first iteration of the while loop.
> > 
> > net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> > net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> 
> Thanks Simon. I've applied the patch, but changed NF_DROP to
> NF_ACCEPT since we should avoid dropping packets with unknown
> contents (not SIP) if possible.

Hi Patrick,

I'm not seeing this patch in nf-next-2.6.
Am I looking in the wrong place?

Re: [patch] netfilter: default to NF_DROP in sip_help_tcp()

[Patrick McHardy]

Am 04.08.2010 10:07, schrieb Simon Horman:
> On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
>> On 10.07.2010 05:16, Simon Horman wrote:
>>> I initially noticed this because of the compiler warning below, but it does
>>> seem to be a valid concern in the case where ct_sip_get_header() returns 0
>>> in the first iteration of the while loop.
>>>
>>> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
>>> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
>>
>> Thanks Simon. I've applied the patch, but changed NF_DROP to
>> NF_ACCEPT since we should avoid dropping packets with unknown
>> contents (not SIP) if possible.
> 
> Hi Patrick,
> 
> I'm not seeing this patch in nf-next-2.6.
> Am I looking in the wrong place?

I was struggling with some file system corruption and didn't manage
to send it out in time, sorry. I'll include it in the next batch of
patches for .36 and will also push it to -stable.

Re: [patch] netfilter: default to NF_DROP in sip_help_tcp()

[Simon Horman]

On Wed, Aug 04, 2010 at 06:10:42PM +0200, Patrick McHardy wrote:
> Am 04.08.2010 10:07, schrieb Simon Horman:
> > On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> >> On 10.07.2010 05:16, Simon Horman wrote:
> >>> I initially noticed this because of the compiler warning below, but it does
> >>> seem to be a valid concern in the case where ct_sip_get_header() returns 0
> >>> in the first iteration of the while loop.
> >>>
> >>> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> >>> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> >>
> >> Thanks Simon. I've applied the patch, but changed NF_DROP to
> >> NF_ACCEPT since we should avoid dropping packets with unknown
> >> contents (not SIP) if possible.
> > 
> > Hi Patrick,
> > 
> > I'm not seeing this patch in nf-next-2.6.
> > Am I looking in the wrong place?
> 
> I was struggling with some file system corruption and didn't manage
> to send it out in time, sorry. I'll include it in the next batch of
> patches for .36 and will also push it to -stable.

Thanks, I'm happy so long as it makes it eventually.