Re: Passive OS fingerprint xtables match.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2009-02-12 19:57, Evgeniy Polyakov wrote:
>>  +/**
>> >+ * Wildcard MSS (kind of).
>>    * @wc:	wild card what(?)
>>    * @val:	some value?
>> >+ */
>> >+struct ipt_osf_wc {
>> >+	__u32			wc;
>> >+	__u32			val;
>> >+};
>> 
>
>This is a weird wildcards implementation for the MSS value.
>They can be pure wildcards and several subtypes which form the window
>size and MSS state machine.

Good to know. Please add this explanation as a comment
in the next iteration.

>> >+	int opt_num;
>> >+
>> >+	char genre[MAXGENRELEN];
>> >+	char version[MAXGENRELEN];
>> >+	char subtype[MAXGENRELEN];
>> >+
>> >+	/* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
>> >+	struct ipt_osf_opt opt[MAX_IPOPTLEN];
>> >+};
>> 
>> Are you sure it is safe to use arch-dependent types like 'int'?
>
>I would be very surprised if Linux will ever run on weird arch where int
>is not 32 bits.

If GCC had a switch to compile with I16 or I64, I could test,
but it does not. 'long', as used in the netfilter includes,
already bit people in pre-2.6.19, and nowadays we have that compat
crap thing in place.. Just don't take any chance, and go the safe
route with uint32_t.

>> >+config IP_NF_MATCH_OSF
>> >+	tristate '"osf" match support'
>> >+	depends on NETFILTER_ADVANCED && CONNECTOR
>> >+	help
>> >+	  Passive OS fingerprint matching module.
>> >+	  You should download and install rule loading software from
>> >+	  http://www.ioremap.net/projects/osf
>> >+
>> >+	  To compile it as a module, choose M here.  If unsure, say N.
>> >+
>> 
>> Please do use NETFILTER_XT_ and its section.
>
>What's this? It does not exist in the net/ipv4/netfilter/Kconfig

net/netfilter/Kconfig: (e.g.)

config NETFILTER_XT_MATCH_COMMENT
        tristate  '"comment" match support'
        depends on NETFILTER_ADVANCED
        ---help---

>> >+static bool ipt_osf_match_packet(const struct sk_buff *skb,
>> >+		const struct xt_match_param *p)
>> >+{
>> >+	struct ipt_osf_info *info = (struct ipt_osf_info *)p->matchinfo;
>> >+	struct iphdr *ip;
>> >+	struct tcphdr _tcph, *tcp;
>> >+	int fmatch = FMATCH_WRONG, fcount = 0;
>> >+	unsigned int optsize = 0, check_WSS = 0;
>> >+	u16 window, totlen, mss = 0;
>> >+	unsigned char df, *optp = NULL, *_optp = NULL;
>> 
>> Maybe this should be 'bool df'?
>
>Although it is a bit, it is not really a boolean type.

The underlying implementation is not of importance here.
It behaves like a bool, and that's all what is needed.

>
>> >+			for (optnum = 0; optnum < f->opt_num; ++optnum) {
>> >+				if (f->opt[optnum].kind == (*optp)) {
>> >+					__u32 len = f->opt[optnum].length;
>> >+					__u8 *optend = optp + len;
>> >+					int loop_cont = 0;
>> >+					
>> >+					fmatch = FMATCH_OK;
>> >+
>> >+					switch (*optp) {
>> >+					case OSFOPT_MSS:
>> >+						mss = ntohs(*(u16 *)(optp + 2));
>> 
>> This needs get_unaligned(), in case someone sends a malicious packet.
>
>Hmmm, why is this needed? We dereference linear kernel pointer at
>proper offset (modulo of the option size).

What if optp is odd?

>> Do this function via
>> 	.proto = IPPROTO_TCP,
>> in the osf_match struct instead:
>
>Hmm, it is not used in the existing net/ipv4/netfilter modules.

net/ipv4/netfilter/ is about the most dusted place in Netfilter-land.
Take a grep in net/netfilter/ ;-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux