/[linux-patches]/genpatches-2.6/trunk/2.6.15/1008_1_netfilter-pptp-crash-2.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.15/1008_1_netfilter-pptp-crash-2.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 255 - (hide annotations) (download)
Wed Jan 11 21:15:20 2006 UTC (12 years, 8 months ago) by dsd
Original Path: genpatches-2.6/trunk/2.6.15/1105_netfilter-pptp-crash.patch
File size: 5710 byte(s)
Several patches from 2.6.15.1 queue
1 dsd 255 From stable-bounces@linux.kernel.org Mon Jan 9 17:04:42 2006
2     Message-ID: <43C30717.8030205@trash.net>
3     Date: Tue, 10 Jan 2006 02:00:07 +0100
4     From: Patrick McHardy <kaber@trash.net>
5     To: stable@kernel.org
6     Cc:
7     Subject: [NETFILTER]: Fix another crash in ip_nat_pptp
8    
9     The PPTP NAT helper calculates the offset at which the packet needs
10     to be mangled as difference between two pointers to the header. With
11     non-linear skbs however the pointers may point to two seperate buffers
12     on the stack and the calculation results in a wrong offset beeing
13     used.
14    
15     Signed-off-by: Patrick McHardy <kaber@trash.net>
16     Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17     ---
18     net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++-----------------
19     1 file changed, 27 insertions(+), 30 deletions(-)
20    
21     --- linux-2.6.15.y.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
22     +++ linux-2.6.15.y/net/ipv4/netfilter/ip_nat_helper_pptp.c
23     @@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
24     {
25     struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
26     struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
27     -
28     - u_int16_t msg, *cid = NULL, new_callid;
29     + u_int16_t msg, new_callid;
30     + unsigned int cid_off;
31    
32     new_callid = htons(ct_pptp_info->pns_call_id);
33    
34     switch (msg = ntohs(ctlh->messageType)) {
35     case PPTP_OUT_CALL_REQUEST:
36     - cid = &pptpReq->ocreq.callID;
37     + cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
38     /* FIXME: ideally we would want to reserve a call ID
39     * here. current netfilter NAT core is not able to do
40     * this :( For now we use TCP source port. This breaks
41     @@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
42     ct_pptp_info->pns_call_id = ntohs(new_callid);
43     break;
44     case PPTP_IN_CALL_REPLY:
45     - cid = &pptpReq->icreq.callID;
46     + cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
47     break;
48     case PPTP_CALL_CLEAR_REQUEST:
49     - cid = &pptpReq->clrreq.callID;
50     + cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
51     break;
52     default:
53     DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
54     @@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
55    
56     /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
57     * down to here */
58     -
59     - IP_NF_ASSERT(cid);
60     -
61     DEBUGP("altering call id from 0x%04x to 0x%04x\n",
62     - ntohs(*cid), ntohs(new_callid));
63     + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
64    
65     /* mangle packet */
66     if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
67     - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
68     - sizeof(new_callid),
69     - (char *)&new_callid,
70     - sizeof(new_callid)) == 0)
71     + cid_off + sizeof(struct pptp_pkt_hdr) +
72     + sizeof(struct PptpControlHeader),
73     + sizeof(new_callid), (char *)&new_callid,
74     + sizeof(new_callid)) == 0)
75     return NF_DROP;
76    
77     return NF_ACCEPT;
78     @@ -299,7 +296,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
79     union pptp_ctrl_union *pptpReq)
80     {
81     struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
82     - u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
83     + u_int16_t msg, new_cid = 0, new_pcid;
84     + unsigned int pcid_off, cid_off = 0;
85    
86     int ret = NF_ACCEPT, rv;
87    
88     @@ -307,23 +305,23 @@ pptp_inbound_pkt(struct sk_buff **pskb,
89    
90     switch (msg = ntohs(ctlh->messageType)) {
91     case PPTP_OUT_CALL_REPLY:
92     - pcid = &pptpReq->ocack.peersCallID;
93     - cid = &pptpReq->ocack.callID;
94     + pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
95     + cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
96     break;
97     case PPTP_IN_CALL_CONNECT:
98     - pcid = &pptpReq->iccon.peersCallID;
99     + pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
100     break;
101     case PPTP_IN_CALL_REQUEST:
102     /* only need to nat in case PAC is behind NAT box */
103     return NF_ACCEPT;
104     case PPTP_WAN_ERROR_NOTIFY:
105     - pcid = &pptpReq->wanerr.peersCallID;
106     + pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
107     break;
108     case PPTP_CALL_DISCONNECT_NOTIFY:
109     - pcid = &pptpReq->disc.callID;
110     + pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
111     break;
112     case PPTP_SET_LINK_INFO:
113     - pcid = &pptpReq->setlink.peersCallID;
114     + pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
115     break;
116    
117     default:
118     @@ -345,25 +343,24 @@ pptp_inbound_pkt(struct sk_buff **pskb,
119     * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
120    
121     /* mangle packet */
122     - IP_NF_ASSERT(pcid);
123     DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
124     - ntohs(*pcid), ntohs(new_pcid));
125     + ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
126    
127     - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
128     - (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
129     + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
130     + pcid_off + sizeof(struct pptp_pkt_hdr) +
131     + sizeof(struct PptpControlHeader),
132     sizeof(new_pcid), (char *)&new_pcid,
133     sizeof(new_pcid));
134     if (rv != NF_ACCEPT)
135     return rv;
136    
137     if (new_cid) {
138     - IP_NF_ASSERT(cid);
139     DEBUGP("altering call id from 0x%04x to 0x%04x\n",
140     - ntohs(*cid), ntohs(new_cid));
141     - rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
142     - (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
143     - sizeof(new_cid),
144     - (char *)&new_cid,
145     + ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
146     + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
147     + cid_off + sizeof(struct pptp_pkt_hdr) +
148     + sizeof(struct PptpControlHeader),
149     + sizeof(new_cid), (char *)&new_cid,
150     sizeof(new_cid));
151     if (rv != NF_ACCEPT)
152     return rv;

  ViewVC Help
Powered by ViewVC 1.1.20