Re: [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID (resubmit)

Pete Holland <pholland27@xxxxxxxxx> · Mon, 5 Dec 2011 10:09:51 -0800

would you like that I check *net for NULL as is done for *ct, *help,
and *helper?

On Sun, Dec 4, 2011 at 2:49 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Hi Peter,
>
> On Fri, Dec 02, 2011 at 09:37:04AM -0800, Pete Holland wrote:
>> From: Peter Holland <pholland27@xxxxxxxxx>
>>
>> Make the logging of dropped packets due to ct helper rejection
>> conditional on LOG_INVALID.
>> This is consistent with the other uses of nf_log_packet.
>> Use protocol from conntrack tuple (original direction).
>> Without this check, there is a possible DoS based on traffic induced
>> log generation.
>> (specifically this was noted in the wild by an attacker against the SIP helper)
>>
>> Signed-off-by: Peter Holland <pholland27@xxxxxxxxx>
>> ---
>> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.orig       2011-11-29
>> 11:34:36.683717278 -0800
>> +++ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c    2011-12-02
>> 09:32:00.727064563 -0800
>> @@ -116,8 +116,10 @@ static unsigned int ipv4_confirm(unsigne
>>       ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
>>                          ct, ctinfo);
>>       if (ret != NF_ACCEPT) {
>> -             nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
>> -                           "nf_ct_%s: dropping packet", helper->name);
>> +             if (LOG_INVALID(nf_ct_net(ct),
>> +                             ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum))
>
> You can use nf_ct_protonum here.
>
>> +                     nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
>> +                                   "nf_ct_%s: dropping packet", helper->name);
>>               return ret;
>>       }
>
> Below you can find:
>
> /* adjust seqs for loopback traffic only in outgoing direction */
> if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
>    !nf_is_loopback_packet(skb)) {
>        typeof(nf_nat_seq_adjust_hook) seq_adjust;
>
>        seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
>        if (!seq_adjust || !seq_adjust(skb, ct, ctinfo)) {
>                NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
>                                      ^^^^^^^^^^^^
>
> Please, declare in ipv4_confirm:
>
> struct net *net = nf_ct_net(ct);
>
> And use the net pointer in that function.
>
> Same thing for the IPv6 side.
>
> Thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html