/[linux-patches]/genpatches-2.6/tags/2.6.15-2/1110_netfilter-pptp-crash2.patch
Gentoo

Contents of /genpatches-2.6/tags/2.6.15-2/1110_netfilter-pptp-crash2.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 259 - (show annotations) (download)
Wed Jan 11 21:46:01 2006 UTC (8 years, 8 months ago) by dsd
File size: 5710 byte(s)
2.6.15-2 release
1 From stable-bounces@linux.kernel.org Mon Jan 9 17:04:42 2006
2 Message-ID: <43C30717.8030205@trash.net>
3 Date: Tue, 10 Jan 2006 02:00:07 +0100
4 From: Patrick McHardy <kaber@trash.net>
5 To: stable@kernel.org
6 Cc:
7 Subject: [NETFILTER]: Fix another crash in ip_nat_pptp
8
9 The PPTP NAT helper calculates the offset at which the packet needs
10 to be mangled as difference between two pointers to the header. With
11 non-linear skbs however the pointers may point to two seperate buffers
12 on the stack and the calculation results in a wrong offset beeing
13 used.
14
15 Signed-off-by: Patrick McHardy <kaber@trash.net>
16 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 ---
18 net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++-----------------
19 1 file changed, 27 insertions(+), 30 deletions(-)
20
21 --- linux-2.6.15.y.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
22 +++ linux-2.6.15.y/net/ipv4/netfilter/ip_nat_helper_pptp.c
23 @@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
24 {
25 struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
26 struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
27 -
28 - u_int16_t msg, *cid = NULL, new_callid;
29 + u_int16_t msg, new_callid;
30 + unsigned int cid_off;
31
32 new_callid = htons(ct_pptp_info->pns_call_id);
33
34 switch (msg = ntohs(ctlh->messageType)) {
35 case PPTP_OUT_CALL_REQUEST:
36 - cid = &pptpReq->ocreq.callID;
37 + cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
38 /* FIXME: ideally we would want to reserve a call ID
39 * here. current netfilter NAT core is not able to do
40 * this :( For now we use TCP source port. This breaks
41 @@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
42 ct_pptp_info->pns_call_id = ntohs(new_callid);
43 break;
44 case PPTP_IN_CALL_REPLY:
45 - cid = &pptpReq->icreq.callID;
46 + cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
47 break;
48 case PPTP_CALL_CLEAR_REQUEST:
49 - cid = &pptpReq->clrreq.callID;
50 + cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
51 break;
52 default:
53 DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
54 @@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
55
56 /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
57 * down to here */
58 -
59 - IP_NF_ASSERT(cid);
60 -
61 DEBUGP("altering call id from 0x%04x to 0x%04x\n",
62 - ntohs(*cid), ntohs(new_callid));
63 + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
64
65 /* mangle packet */
66 if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
67 - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
68 - sizeof(new_callid),
69 - (char *)&new_callid,
70 - sizeof(new_callid)) == 0)
71 + cid_off + sizeof(struct pptp_pkt_hdr) +
72 + sizeof(struct PptpControlHeader),
73 + sizeof(new_callid), (char *)&new_callid,
74 + sizeof(new_callid)) == 0)
75 return NF_DROP;
76
77 return NF_ACCEPT;
78 @@ -299,7 +296,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
79 union pptp_ctrl_union *pptpReq)
80 {
81 struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
82 - u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
83 + u_int16_t msg, new_cid = 0, new_pcid;
84 + unsigned int pcid_off, cid_off = 0;
85
86 int ret = NF_ACCEPT, rv;
87
88 @@ -307,23 +305,23 @@ pptp_inbound_pkt(struct sk_buff **pskb,
89
90 switch (msg = ntohs(ctlh->messageType)) {
91 case PPTP_OUT_CALL_REPLY:
92 - pcid = &pptpReq->ocack.peersCallID;
93 - cid = &pptpReq->ocack.callID;
94 + pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
95 + cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
96 break;
97 case PPTP_IN_CALL_CONNECT:
98 - pcid = &pptpReq->iccon.peersCallID;
99 + pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
100 break;
101 case PPTP_IN_CALL_REQUEST:
102 /* only need to nat in case PAC is behind NAT box */
103 return NF_ACCEPT;
104 case PPTP_WAN_ERROR_NOTIFY:
105 - pcid = &pptpReq->wanerr.peersCallID;
106 + pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
107 break;
108 case PPTP_CALL_DISCONNECT_NOTIFY:
109 - pcid = &pptpReq->disc.callID;
110 + pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
111 break;
112 case PPTP_SET_LINK_INFO:
113 - pcid = &pptpReq->setlink.peersCallID;
114 + pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
115 break;
116
117 default:
118 @@ -345,25 +343,24 @@ pptp_inbound_pkt(struct sk_buff **pskb,
119 * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
120
121 /* mangle packet */
122 - IP_NF_ASSERT(pcid);
123 DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
124 - ntohs(*pcid), ntohs(new_pcid));
125 + ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
126
127 - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
128 - (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
129 + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
130 + pcid_off + sizeof(struct pptp_pkt_hdr) +
131 + sizeof(struct PptpControlHeader),
132 sizeof(new_pcid), (char *)&new_pcid,
133 sizeof(new_pcid));
134 if (rv != NF_ACCEPT)
135 return rv;
136
137 if (new_cid) {
138 - IP_NF_ASSERT(cid);
139 DEBUGP("altering call id from 0x%04x to 0x%04x\n",
140 - ntohs(*cid), ntohs(new_cid));
141 - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
142 - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
143 - sizeof(new_cid),
144 - (char *)&new_cid,
145 + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
146 + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
147 + cid_off + sizeof(struct pptp_pkt_hdr) +
148 + sizeof(struct PptpControlHeader),
149 + sizeof(new_cid), (char *)&new_cid,
150 sizeof(new_cid));
151 if (rv != NF_ACCEPT)
152 return rv;

  ViewVC Help
Powered by ViewVC 1.1.20