[conntrack-tools] conntrackd: more robust sanity checking on synchronization messages

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Mon Aug 17 12:53:58 CEST 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=32ca6a144903b2e6318ee61d1dda3f670d3c09da
commit 32ca6a144903b2e6318ee61d1dda3f670d3c09da
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Aug 17 12:51:34 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Aug 17 12:51:34 2009 +0200

    conntrackd: more robust sanity checking on synchronization messages
    
    This patch fixes an infinite loop that can occur if a message of
    zero length is received. Moreover, now we always stop the processing
    if the message is malformed.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  32ca6a144903b2e6318ee61d1dda3f670d3c09da (commit)
      from  2c5bed23c8afdd7f349d861fb7e7c8ba33ae3fe1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 32ca6a144903b2e6318ee61d1dda3f670d3c09da
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Aug 17 12:51:34 2009 +0200

    conntrackd: more robust sanity checking on synchronization messages
    
    This patch fixes an infinite loop that can occur if a message of
    zero length is received. Moreover, now we always stop the processing
    if the message is malformed.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 src/sync-mode.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)
This patch fixes an infinite loop that can occur if a message of
zero length is received. Moreover, now we always stop the processing
if the message is malformed.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/sync-mode.c b/src/sync-mode.c
index 8cf7aa3..9e3ac39 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -132,6 +132,7 @@ static int channel_handler_routine(struct channel *m, int i)
 	remain = numbytes;
 	while (remain > 0) {
 		struct nethdr *net = (struct nethdr *) ptr;
+		int len;
 
 		if (remain < NETHDR_SIZ) {
 			STATE_SYNC(error).msg_rcv_malformed++;
@@ -139,7 +140,8 @@ static int channel_handler_routine(struct channel *m, int i)
 			break;
 		}
 
-		if (ntohs(net->len) > remain) {
+		len = ntohs(net->len);
+		if (len > remain || len <= 0) {
 			STATE_SYNC(error).msg_rcv_malformed++;
 			STATE_SYNC(error).msg_rcv_bad_size++;
 			break;
@@ -149,16 +151,19 @@ static int channel_handler_routine(struct channel *m, int i)
 			if (remain < NETHDR_ACK_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_truncated++;
+				break;
 			}
 
-			if (ntohs(net->len) < NETHDR_ACK_SIZ) {
+			if (len < NETHDR_ACK_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_bad_size++;
+				break;
 			}
 		} else {
-			if (ntohs(net->len) < NETHDR_SIZ) {
+			if (len < NETHDR_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_bad_size++;
+				break;
 			}
 		}

More information about the netfilter-cvslog mailing list