Michael.Heyman at sparta.com
Wed Sep 21 13:29:22 CEST 2005
I found what apears to be a bug in the "net/ipv4/netfilter/ip_tables.c"
code. The issue arose when I had a mangle table target that could return
NF_STOLEN. The ipt_do_table() routine uses the contents of the sk_buff
to calculate "datalen" even though the sk_buff, upon return from the
"target()" call with NF_STOLEN, should be assumed invalid (in my case, I
had set the returned sk_buff to NULL).
I cannot change the kernel my target must run on. This led me to simply
set the sk_buff returned to a static with the required values,
"skb->len" and "skb->nh.iph->ihl", set to zero. Doing this doesn't seem
to break anything.
I have included a possible patch to fix the issue, I haven't tested the
patch but the idea is to simply move the sk_buff access to a point where
the sk_buff should be valid.
A quick grep shows a similar construct in
"net/ipv4/netfilter/arp_tables.c:arpt_do_table()" that may need a
--- foo.c 2005-09-21 07:00:35.000000000 -0400
+++ net/ipv4/netfilter/ip_tables.c 2005-06-17 15:48:29.000000000
@@ -378,15 +378,16 @@
- /* Target might have changed stuff. */
- ip = (*pskb)->nh.iph;
- datalen = (*pskb)->len - ip->ihl * 4;
if (verdict == IPT_CONTINUE)
e = (void *)e + e->next_offset;
/* Verdict */
+ /* Target might have changed stuff. */
+ ip = (*pskb)->nh.iph;
+ datalen = (*pskb)->len - ip->ihl * 4;
More information about the netfilter-devel