[NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink
Invalid states can cause out-of-bound memory accesses of the state table.
Also don't insist on having a new state contained in the netlink message.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
---
commit 887a1a991c8d75bcbb6ccf4cbac7559ea12cda7a
tree c68aa6d733b23652e4757aa7a30e36020974e331
parent 5c5f11539fad5dacee3edb96279dda0785252b66
author Patrick McHardy <kaber@xxxxxxxxx> Mon, 14 Apr 2008 12:10:55 +0200
committer Patrick McHardy <kaber@xxxxxxxxx> Mon, 14 Apr 2008 12:10:55 +0200
net/netfilter/nf_conntrack_proto_tcp.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6256795..57831c7 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1129,11 +1129,13 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
if (err < 0)
return err;
- if (!tb[CTA_PROTOINFO_TCP_STATE])
+ if (tb[CTA_PROTOINFO_TCP_STATE] &&
+ nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
return -EINVAL;
write_lock_bh(&tcp_lock);
- ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
+ if (tb[CTA_PROTOINFO_TCP_STATE])
+ ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
struct nf_ct_tcp_flags *attr =
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
