On Saturday 2011-11-05 18:10, Eivind Naess wrote:
>As far as the security hole goes, only the changes to
>make it parse the in ipv4options_rd is needed. If my understanding for
>the option *any* was wrong given the manual, then I'll take that back.
It seems that your version of "any" is representable using
--any --flags 1,2,3,4,5,6,7,8,9,10,11,12...,31
>Let me know how you want to proceed with this, I can provide you another
>patch with the update to ipv4options_rd only, and with proper
>indentation.
I proceeded like this:
>commit 75cd1d7d6a3747ec297f24f67f589acd8f5a9859
>Author: Eivind Naess <eivnaes@xxxxxxxxx>
>Date: Thu Nov 3 09:28:46 2011 -0700
>
>xt_ipv4options: fix an infinite loop
>---
>doc/changelog.txt | 1 +
>extensions/xt_ipv4options.c | 11 +++++++++++
>2 files changed, 12 insertions(+), 0 deletions(-)
>
>diff --git a/doc/changelog.txt b/doc/changelog.txt
>index 3557175..81fcbdc 100644
>--- a/doc/changelog.txt
>+++ b/doc/changelog.txt
>@@ -5,6 +5,7 @@ Fixes:
>- build: the code actually requires at least iptables 1.4.5 (would yield a
> compile error otherwise), make sure configure checks for it; update INSTALL
>- xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
>+- xt_ipv4options: fix an infinite loop
>Changes:
>- xt_ECHO: now calculates UDP checksum
>Enhancements:
>diff --git a/extensions/xt_ipv4options.c b/extensions/xt_ipv4options.c
>index 42481f7..5e9d34c 100644
>--- a/extensions/xt_ipv4options.c
>+++ b/extensions/xt_ipv4options.c
>@@ -20,6 +20,17 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
> uint32_t opts = 0;
>
> while (len >= 2) {
>+ switch (data[0]) {
>+ case IPOPT_END:
>+ return opts;
>+ case IPOPT_NOOP:
>+ --len;
>+ ++data;
>+ continue;
>+ }
>+
>+ if (data[1] < 2 || data[1] > len)
>+ return opts;
> opts |= 1 << (data[0] & 0x1F);
> len -= data[1];
> data += data[1];
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
