(no subject)
Henrik Nordstrom
hno at marasystems.com
Thu Sep 22 10:01:13 CEST 2005
On Wed, 21 Sep 2005, Heyman, Michael wrote:
> I found what apears to be a bug in the "net/ipv4/netfilter/ip_tables.c"
> code. The issue arose when I had a mangle table target that could return
> NF_STOLEN. The ipt_do_table() routine uses the contents of the sk_buff
> to calculate "datalen" even though the sk_buff, upon return from the
> "target()" call with NF_STOLEN, should be assumed invalid (in my case, I
> had set the returned sk_buff to NULL).
>
> --- foo.c 2005-09-21 07:00:35.000000000 -0400
> +++ net/ipv4/netfilter/ip_tables.c 2005-06-17 15:48:29.000000000
> -0400
> @@ -378,15 +378,16 @@
> ((struct ipt_entry
> *)table_base)->comefrom
> = 0x57acc001;
> #endif
> - /* Target might have changed stuff. */
> - ip = (*pskb)->nh.iph;
> - datalen = (*pskb)->len - ip->ihl * 4;
> -
> if (verdict == IPT_CONTINUE)
> e = (void *)e + e->next_offset;
> else
> /* Verdict */
> break;
> +
> + /* Target might have changed stuff. */
> + ip = (*pskb)->nh.iph;
> + datalen = (*pskb)->len - ip->ihl * 4;
> +
This patch on the other hand fails in the perhaps more common situation
where a target mangles the payload and returns NF_ACCEPT.
Regards
Henrik
More information about the netfilter-devel
mailing list