[conntrack-tools] add more sanity checks in the input path
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Fri Aug 1 00:05:57 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=fa4eb049a549dfdd48a8f59ef2713694716a6811
commit fa4eb049a549dfdd48a8f59ef2713694716a6811
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Fri Aug 1 00:05:45 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Fri Aug 1 00:05:45 2008 +0200
add more sanity checks in the input path
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via fa4eb049a549dfdd48a8f59ef2713694716a6811 (commit)
from 21aabc2c4248d389fbf18a9110443371cc678b53 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fa4eb049a549dfdd48a8f59ef2713694716a6811
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Fri Aug 1 00:05:45 2008 +0200
add more sanity checks in the input path
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
src/cache.c | 8 --------
src/netlink.c | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 8 deletions(-)
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/cache.c b/src/cache.c
index c72afd8..a73854f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -75,14 +75,6 @@ static uint32_t hash(const void *data, struct hashtable *table)
ret = __hash4(u->ct, table);
break;
case AF_INET6:
- if (!nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_SRC) ||
- !nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_DST)) {
- dlog(LOG_ERR, "missing IPv6 address. "
- "You forgot to load "
- "nf_conntrack_ipv6?");
- return 0;
- }
-
ret = __hash6(u->ct, table);
break;
default:
diff --git a/src/netlink.c b/src/netlink.c
index 1287454..a8a5503 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -26,8 +26,46 @@
#include <string.h>
#include <errno.h>
+static int sanity_check(struct nf_conntrack *ct)
+{
+ if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) {
+ dlog(LOG_ERR, "missing layer 3 protocol");
+ return 0;
+ }
+
+ switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+ dlog(LOG_ERR, "missing IPv4 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv4?");
+ return 0;
+ }
+ break;
+ case AF_INET6:
+ if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+ dlog(LOG_ERR, "missing IPv6 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv6?");
+ return 0;
+ }
+ break;
+ }
+ return 1;
+}
+
int ignore_conntrack(struct nf_conntrack *ct)
{
+ /* missing mandatory attributes in object */
+ if (!sanity_check(ct))
+ return 1;
+
/* Accept DNAT'ed traffic: not really coming to the local machine */
if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
debug_ct(ct, "DNAT");
More information about the netfilter-cvslog
mailing list