From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 6/7] netfilter: nfnetlink_osf: add missing fmatch check
Date: Mon, 28 Jan 2019 15:04:04 +0100 [thread overview]
Message-ID: <20190128140405.15020-7-pablo@netfilter.org> (raw)
In-Reply-To: <20190128140405.15020-1-pablo@netfilter.org>
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
When we check the tcp options of a packet and it doesn't match the current
fingerprint, the tcp packet option pointer must be restored to its initial
value in order to do the proper tcp options check for the next fingerprint.
Here we can see an example.
Assumming the following fingerprint base with two lines:
S10:64:1:60:M*,S,T,N,W6: Linux:3.0::Linux 3.0
S20:64:1:60:M*,S,T,N,W7: Linux:4.19:arch:Linux 4.1
Where TCP options are the last field in the OS signature, all of them overlap
except by the last one, ie. 'W6' versus 'W7'.
In case a packet for Linux 4.19 kicks in, the osf finds no matching because the
TCP options pointer is updated after checking for the TCP options in the first
line.
Therefore, reset pointer back to where it should be.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_osf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 6f41dd74729d..1f1d90c1716b 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -66,6 +66,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
int ttl_check,
struct nf_osf_hdr_ctx *ctx)
{
+ const __u8 *optpinit = ctx->optp;
unsigned int check_WSS = 0;
int fmatch = FMATCH_WRONG;
int foptsize, optnum;
@@ -155,6 +156,9 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
}
}
+ if (fmatch != FMATCH_OK)
+ ctx->optp = optpinit;
+
return fmatch == FMATCH_OK;
}
--
2.11.0
next prev parent reply other threads:[~2019-01-28 14:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-28 14:03 [PATCH 0/7] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2019-01-28 14:03 ` [PATCH 1/7] netfilter: nft_compat: use refcnt_t type for nft_xt reference count Pablo Neira Ayuso
2019-01-28 14:04 ` [PATCH 2/7] netfilter: nft_compat: make lists per netns Pablo Neira Ayuso
2019-01-28 14:04 ` [PATCH 3/7] netfilter: nft_compat: destroy function must not have side effects Pablo Neira Ayuso
2019-01-28 14:04 ` [PATCH 4/7] ipvs: Fix signed integer overflow when setsockopt timeout Pablo Neira Ayuso
2019-01-28 14:04 ` [PATCH 5/7] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present Pablo Neira Ayuso
2019-01-28 14:04 ` Pablo Neira Ayuso [this message]
2019-01-28 14:04 ` [PATCH 7/7] netfilter: ipt_CLUSTERIP: fix warning unused variable cn Pablo Neira Ayuso
2019-01-28 18:52 ` [PATCH 0/7] Netfilter/IPVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190128140405.15020-7-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).