/[linux-patches]/genpatches-2.6/trunk/2.6.14/1088_fix-another-crash-in-ip_nat_pptp.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1088_fix-another-crash-in-ip_nat_pptp.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 260 - (show annotations) (download) (as text)
Wed Jan 11 22:08:02 2006 UTC (14 years, 10 months ago) by dsd
File MIME type: text/x-diff
File size: 5841 byte(s)
more stable-queue fixes thanks to kerframil
1 From stable-bounces@linux.kernel.org Mon Jan 9 17:04:42 2006
2 Message-ID: <43C30717.8030205@trash.net>
3 Date: Tue, 10 Jan 2006 02:00:07 +0100
4 From: Patrick McHardy <kaber@trash.net>
5 To: stable@kernel.org
6 Cc:
7 Subject: [NETFILTER]: Fix another crash in ip_nat_pptp
8
9 The PPTP NAT helper calculates the offset at which the packet needs
10 to be mangled as difference between two pointers to the header. With
11 non-linear skbs however the pointers may point to two seperate buffers
12 on the stack and the calculation results in a wrong offset beeing
13 used.
14
15 Signed-off-by: Patrick McHardy <kaber@trash.net>
16 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 ---
18 net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++-----------------
19 1 files changed, 27 insertions(+), 30 deletions(-)
20
21 Index: linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
22 ===================================================================
23 --- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
24 +++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
25 @@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
26 {
27 struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
28 struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
29 -
30 - u_int16_t msg, *cid = NULL, new_callid;
31 + u_int16_t msg, new_callid;
32 + unsigned int cid_off;
33
34 new_callid = htons(ct_pptp_info->pns_call_id);
35
36 switch (msg = ntohs(ctlh->messageType)) {
37 case PPTP_OUT_CALL_REQUEST:
38 - cid = &pptpReq->ocreq.callID;
39 + cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
40 /* FIXME: ideally we would want to reserve a call ID
41 * here. current netfilter NAT core is not able to do
42 * this :( For now we use TCP source port. This breaks
43 @@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
44 ct_pptp_info->pns_call_id = ntohs(new_callid);
45 break;
46 case PPTP_IN_CALL_REPLY:
47 - cid = &pptpReq->icreq.callID;
48 + cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
49 break;
50 case PPTP_CALL_CLEAR_REQUEST:
51 - cid = &pptpReq->clrreq.callID;
52 + cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
53 break;
54 default:
55 DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
56 @@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
57
58 /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
59 * down to here */
60 -
61 - IP_NF_ASSERT(cid);
62 -
63 DEBUGP("altering call id from 0x%04x to 0x%04x\n",
64 - ntohs(*cid), ntohs(new_callid));
65 + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
66
67 /* mangle packet */
68 if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
69 - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
70 - sizeof(new_callid),
71 - (char *)&new_callid,
72 - sizeof(new_callid)) == 0)
73 + cid_off + sizeof(struct pptp_pkt_hdr) +
74 + sizeof(struct PptpControlHeader),
75 + sizeof(new_callid), (char *)&new_callid,
76 + sizeof(new_callid)) == 0)
77 return NF_DROP;
78
79 return NF_ACCEPT;
80 @@ -297,7 +294,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
81 union pptp_ctrl_union *pptpReq)
82 {
83 struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
84 - u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
85 + u_int16_t msg, new_cid = 0, new_pcid;
86 + unsigned int pcid_off, cid_off = 0;
87
88 int ret = NF_ACCEPT, rv;
89
90 @@ -305,23 +303,23 @@ pptp_inbound_pkt(struct sk_buff **pskb,
91
92 switch (msg = ntohs(ctlh->messageType)) {
93 case PPTP_OUT_CALL_REPLY:
94 - pcid = &pptpReq->ocack.peersCallID;
95 - cid = &pptpReq->ocack.callID;
96 + pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
97 + cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
98 break;
99 case PPTP_IN_CALL_CONNECT:
100 - pcid = &pptpReq->iccon.peersCallID;
101 + pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
102 break;
103 case PPTP_IN_CALL_REQUEST:
104 /* only need to nat in case PAC is behind NAT box */
105 return NF_ACCEPT;
106 case PPTP_WAN_ERROR_NOTIFY:
107 - pcid = &pptpReq->wanerr.peersCallID;
108 + pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
109 break;
110 case PPTP_CALL_DISCONNECT_NOTIFY:
111 - pcid = &pptpReq->disc.callID;
112 + pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
113 break;
114 case PPTP_SET_LINK_INFO:
115 - pcid = &pptpReq->setlink.peersCallID;
116 + pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
117 break;
118
119 default:
120 @@ -343,25 +341,24 @@ pptp_inbound_pkt(struct sk_buff **pskb,
121 * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
122
123 /* mangle packet */
124 - IP_NF_ASSERT(pcid);
125 DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
126 - ntohs(*pcid), ntohs(new_pcid));
127 + ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
128
129 - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
130 - (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
131 + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
132 + pcid_off + sizeof(struct pptp_pkt_hdr) +
133 + sizeof(struct PptpControlHeader),
134 sizeof(new_pcid), (char *)&new_pcid,
135 sizeof(new_pcid));
136 if (rv != NF_ACCEPT)
137 return rv;
138
139 if (new_cid) {
140 - IP_NF_ASSERT(cid);
141 DEBUGP("altering call id from 0x%04x to 0x%04x\n",
142 - ntohs(*cid), ntohs(new_cid));
143 - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
144 - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
145 - sizeof(new_cid),
146 - (char *)&new_cid,
147 + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
148 + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
149 + cid_off + sizeof(struct pptp_pkt_hdr) +
150 + sizeof(struct PptpControlHeader),
151 + sizeof(new_cid), (char *)&new_cid,
152 sizeof(new_cid));
153 if (rv != NF_ACCEPT)
154 return rv;

  ViewVC Help
Powered by ViewVC 1.1.20