What basic sanity checking on packet headers is done
Patrick McHardy
kaber at trash.net
Fri Sep 29 18:50:01 CEST 2006
Wayne Schroeder wrote:
> I've written a new target module that uses the ip header fields of ihl
> and tot_len for offsets into the packets. How safe is the data in the
> ip headers? Is there sanity checking when the packet is received off
> the wire... for instance -- is it safe to assume in the prerouting chain
> of the mangle table that tot_len will not put me past the memory
> allocated for the packet? Same goes for ihl?
Check out ip_rcv() in ip_input.c. ihl and tot_len are _usually_ valid
within netfilter. The only exception is raw sockets, on the outgoing
hooks the only guarantee is that ihl * 4 >= sizeof(struct iphdr) (
only for ip_tables, see iptable_filter.c). We could consider providing
stricter guarantees, I'm pretty sure some modules only perform
insufficient checks.
More information about the netfilter-devel
mailing list