[ANNOUNCE] Bug in kernel == 2.4.10 causing netfilter problem

Harald Welte laforge@gnumonks.org
Sun, 20 Jan 2002 14:18:11 +0100


--AkbCVLjbJ9qUtAXD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all!

On behalf of the netfilter core team I have the following announcement:

The following kernel versions habe a bug in include/linux/list.h, which
causes netfilter's connection tracking code to misbehave:

2.4.10-pre10
2.4.10-pre11
2.4.10-pre12
2.4.10

The bug in include/linux/list.h has been fixed in 2.4.11-pre1 and all later
kernels.


SYMPTOMS OF THE PROBLEM
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The connection tracking code for tcp has various timeouts for the respective
TCP states the tracked connection can be in. =20

Because of the list_del() problem, the state machine of netfilter connection
tracking doesn't work correctly anymore.

Connections in the state TIME_WAIT or CLOSE_WAIT will have wrong timeouts
up to multiple days (as opposed to their usual timeout, a couple of minutes=
).

This results in the netfilter connection tracking table getting filled with
old, unneeded connection tracking entries.  This presents a vulnerability
towards denial of service attacks.


CAUSE OF THE PROBLEM
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

2.4.10-pre10 included the following change to list.h:

> diff -u --recursive --new-file v2.4.9/linux/include/linux/list.h linux/in=
clude/linux/list.h
> --- v2.4.9/linux/include/linux/list.h	Fri Feb 16 16:06:17 2001
> +++ linux/include/linux/list.h	Sun Sep 23 10:31:02 2001
> @@ -90,6 +92,7 @@
>  static __inline__ void list_del(struct list_head *entry)
>  {
>  	__list_del(entry->prev, entry->next);
> +	entry->next =3D entry->prev =3D 0;
>  }
> =20
>  /**

This change breaks an assumption made by the netfilter connection tracking
code in linux/net/ipv4/netfilter/ip_conntrack_core.c:

> static void
> clean_from_lists(struct ip_conntrack *ct)
> {
>         MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
>         /* Remove from both hash lists: must not NULL out next ptrs,
>            otherwise we'll look unconfirmed.  Fortunately, LIST_DELETE
>            doesn't do this. --RR */
>         LIST_DELETE(&ip_conntrack_hash
>                     [hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tu=
ple)],
>                     &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
>         LIST_DELETE(&ip_conntrack_hash
>                     [hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple=
)],
>                     &ct->tuplehash[IP_CT_DIR_REPLY]);

LIST_DELETE is a macro expanding to list_del from linux/list.h


SOLUTION TO THE PROBLEM
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Update to a kernel >=3D 2.4.11-pre1 (and don't use 2.4.11 for other reasons=
).

If you really need to keep your 2.4.10 kernel for any reason, try reverting
the list_del change, but this is completely untested and we have no idea how
this might affect other subsystems of the kernel.


Redistribution of this announcement is encouraged, provided that its content
remains unchanged. (C) 2002 by the netfilter core team.


Thanks to Jozsef Kadlecsik for finding the real cause of this problem.

--=20
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-=
=20
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

--AkbCVLjbJ9qUtAXD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8SsOTNfqJzMqajVsRAs0vAKC7/KAmjLA3nq3ekERmwqhki3swRgCfTZ7M
YRH4snGnU8Z9YNVhwFH1cLM=
=ALO6
-----END PGP SIGNATURE-----

--AkbCVLjbJ9qUtAXD--