mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
65 lines
2.4 KiB
Diff
65 lines
2.4 KiB
Diff
|
From 5b866eaa34e4ddc312c927030fde5f6a6184ddc5 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Borkmann <dborkman@redhat.com>
|
||
|
Date: Mon, 6 Jan 2014 00:57:54 +0100
|
||
|
Subject: netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
|
||
|
|
||
|
commit b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 upstream.
|
||
|
|
||
|
Some occurences in the netfilter tree use skb_header_pointer() in
|
||
|
the following way ...
|
||
|
|
||
|
struct dccp_hdr _dh, *dh;
|
||
|
...
|
||
|
skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||
|
|
||
|
... where dh itself is a pointer that is being passed as the copy
|
||
|
buffer. Instead, we need to use &_dh as the forth argument so that
|
||
|
we're copying the data into an actual buffer that sits on the stack.
|
||
|
|
||
|
Currently, we probably could overwrite memory on the stack (e.g.
|
||
|
with a possibly mal-formed DCCP packet), but unintentionally, as
|
||
|
we only want the buffer to be placed into _dh variable.
|
||
|
|
||
|
Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
|
||
|
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||
|
---
|
||
|
net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
|
||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
|
||
|
index 2e664a6..8aa94ee 100644
|
||
|
--- a/net/netfilter/nf_conntrack_proto_dccp.c
|
||
|
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
|
||
|
@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
|
||
|
const char *msg;
|
||
|
u_int8_t state;
|
||
|
|
||
|
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||
|
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||
|
BUG_ON(dh == NULL);
|
||
|
|
||
|
state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
|
||
|
@@ -483,7 +483,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
|
||
|
u_int8_t type, old_state, new_state;
|
||
|
enum ct_dccp_roles role;
|
||
|
|
||
|
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||
|
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||
|
BUG_ON(dh == NULL);
|
||
|
type = dh->dccph_type;
|
||
|
|
||
|
@@ -575,7 +575,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
|
||
|
unsigned int cscov;
|
||
|
const char *msg;
|
||
|
|
||
|
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
|
||
|
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
|
||
|
if (dh == NULL) {
|
||
|
msg = "nf_ct_dccp: short packet ";
|
||
|
goto out_invalid;
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|