[conntrack-tools] add more sanity checks in the input path

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Fri Aug 1 00:05:57 CEST 2008


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=fa4eb049a549dfdd48a8f59ef2713694716a6811
commit fa4eb049a549dfdd48a8f59ef2713694716a6811
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Fri Aug 1 00:05:45 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Fri Aug 1 00:05:45 2008 +0200

    add more sanity checks in the input path
    
    Some users have reported crashes when nf_conntrack_ipv6 was not present.
    This patch performs more robust sanity checks in the input path.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  fa4eb049a549dfdd48a8f59ef2713694716a6811 (commit)
      from  21aabc2c4248d389fbf18a9110443371cc678b53 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fa4eb049a549dfdd48a8f59ef2713694716a6811
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Aug 1 00:05:45 2008 +0200

    add more sanity checks in the input path
    
    Some users have reported crashes when nf_conntrack_ipv6 was not present.
    This patch performs more robust sanity checks in the input path.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 src/cache.c   |    8 --------
 src/netlink.c |   38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 8 deletions(-)
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/cache.c b/src/cache.c
index c72afd8..a73854f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -75,14 +75,6 @@ static uint32_t hash(const void *data, struct hashtable *table)
 			ret = __hash4(u->ct, table);
 			break;
 		case AF_INET6:
-			if (!nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_SRC) ||
-			    !nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_DST)) {
-				dlog(LOG_ERR, "missing IPv6 address. "
-					      "You forgot to load "
-					      "nf_conntrack_ipv6?");
-				return 0;
-			}
-
 			ret = __hash6(u->ct, table);
 			break;
 		default:
diff --git a/src/netlink.c b/src/netlink.c
index 1287454..a8a5503 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -26,8 +26,46 @@
 #include <string.h>
 #include <errno.h>
 
+static int sanity_check(struct nf_conntrack *ct)
+{
+	if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) {
+		dlog(LOG_ERR, "missing layer 3 protocol");
+		return 0;
+	}
+
+	switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+	case AF_INET:
+		if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
+		    !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
+		    !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
+		    !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+		    	dlog(LOG_ERR, "missing IPv4 address. "
+				      "You forgot to load "
+				      "nf_conntrack_ipv4?");
+			return 0;
+		}
+		break;
+	case AF_INET6:
+		if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
+		    !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
+		    !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
+		    !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+		    	dlog(LOG_ERR, "missing IPv6 address. "
+				      "You forgot to load "
+				      "nf_conntrack_ipv6?");
+			return 0;
+		}
+		break;
+	}
+	return 1;
+}
+
 int ignore_conntrack(struct nf_conntrack *ct)
 {
+	/* missing mandatory attributes in object */
+	if (!sanity_check(ct))
+		return 1;
+
 	/* Accept DNAT'ed traffic: not really coming to the local machine */
 	if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
 		debug_ct(ct, "DNAT");



More information about the netfilter-cvslog mailing list