From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Out Of Bound Read in Netfilter Conntrack
Date: Mon, 6 Nov 2017 16:13:13 +0100 [thread overview]
Message-ID: <20171106151313.GA21034@salvia> (raw)
In-Reply-To: <3567257a-3e96-a603-82c0-d1f32bcffd54@x41-dsec.de>
Hi Eric,
On Wed, Oct 25, 2017 at 09:05:05AM +0200, Eric Sesterhenn wrote:
[...]
> From b8ed8753ca82f6f07fce2901418aab531d98ee39 Mon Sep 17 00:00:00 2001
> From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> Date: Wed, 25 Oct 2017 08:32:57 +0200
> Subject: [PATCH netfilter: nf_ct_h323: 1/2] Out Of Bound Read in Netfilter
> Conntrack
>
> Add missing counter decrement to prevent out of bounds memory read.
This one, I already applied it, see below comment on 2/2.
> From c1b7044749e534207ecd3b04281ae024b01887d3 Mon Sep 17 00:00:00 2001
> From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> Date: Wed, 25 Oct 2017 08:39:38 +0200
> Subject: [PATCH netfilter: nf_ct_h323: 2/2] Prevent multiple out of bounds
> memory reads.
>
> Multiple accesses are not guarded by out of bound
> checks. This patch introduces them.
>
> Signed-off-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
> ---
> net/netfilter/nf_conntrack_h323_asn1.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
> index 2a9d1acd0cbd..78a218cdf04e 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -104,6 +104,7 @@ typedef struct {
> #define INC_BITS(bs,b) if(((bs)->bit+=(b))>7){(bs)->cur+=(bs)->bit>>3;(bs)->bit&=7;}
> #define BYTE_ALIGN(bs) if((bs)->bit){(bs)->cur++;(bs)->bit=0;}
> #define CHECK_BOUND(bs,n) if((bs)->cur+(n)>(bs)->end)return(H323_ERROR_BOUND)
> +#define CHECK_BIT_BOUND(bs,n) ({ size_t __tmp = n/8; if((bs)->bit+(n%8)>7) { CHECK_BOUND(bs, __tmp + 2); } else { CHECK_BOUND(bs, __tmp + 1); } })
CHECK_BOUND() and your new CHECK_BIT_BOUND() are returning a something
inside a macro, which is a bad practise.
Would you first send me a patch to replace CHECK_BOUND() by a
function, then add place your fix on top of it?
I'd suggest something like:
static inline int nf_h323_error_boundary(...)
{
return bs->cur + (n > bs->end);
}
Then, use it:
if (nf_h323_error_boundary(...))
return H323_ERROR_BOUND;
Please, I'd appreciate if you can send me patches via git-send-mail
too.
Thanks!
next prev parent reply other threads:[~2017-11-06 15:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-09 5:01 [PATCH] Out Of Bound Read in Netfilter Conntrack Eric Sesterhenn
2017-10-12 0:03 ` Florian Westphal
2017-10-13 18:29 ` [PATCH] Bitwise " Eric Sesterhenn
2017-10-17 13:09 ` Pablo Neira Ayuso
2017-10-17 13:48 ` Eric Sesterhenn
2017-10-17 13:53 ` Pablo Neira Ayuso
2017-10-24 16:29 ` [PATCH] " Pablo Neira Ayuso
2017-10-24 16:36 ` Pablo Neira Ayuso
2017-10-25 7:05 ` Eric Sesterhenn
2017-11-06 15:13 ` Pablo Neira Ayuso [this message]
2017-11-13 8:09 ` [PATCH 1/2] Convert CHECK_BOUND macro to function eric.sesterhenn
2017-11-13 13:13 ` Pablo Neira Ayuso
2017-11-13 8:09 ` [PATCH 2/2] Extend nf_h323_error_boundary to work on bits as well eric.sesterhenn
2017-11-13 13:14 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106151313.GA21034@salvia \
--to=pablo@netfilter.org \
--cc=eric.sesterhenn@x41-dsec.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).