Re: [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



	Hello,

On Mon, 17 Jun 2013, Pablo Neira Ayuso wrote:

> In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond
> packet boundary), the use of tcp_hdr was introduced. However, we
> cannot assume that skb->transport_header is set for non-local packets.

	It is hidden also in tcp_hdrlen() which is used here.

> Cc: Florian Westphal <fw@xxxxxxxxx>
> Reported-by: Phil Oester <kernel@xxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
>  net/netfilter/xt_TCPOPTSTRIP.c |    6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
> index 1eb1a44..b68fa19 100644
> --- a/net/netfilter/xt_TCPOPTSTRIP.c
> +++ b/net/netfilter/xt_TCPOPTSTRIP.c
> @@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
>  		return NF_DROP;
>  
>  	len = skb->len - tcphoff;
> -	if (len < (int)sizeof(struct tcphdr) ||
> -	    tcp_hdr(skb)->doff * 4 > len)
> +	if (len < (int)sizeof(struct tcphdr))
>  		return NF_DROP;
>  
>  	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
> +	if (tcph->doff * 4 > len)

	We can save tcph->doff * 4 in a var and use it
instead of tcp_hdrlen.

	BTW, optlen() touches opt[offset+1] unsafely
when i == tcp_hdrlen(skb) - 1.

> +		return NF_DROP;
> +
>  	opt  = (u_int8_t *)tcph;
>  
>  	/*
> -- 
> 1.7.10.4

Regards

--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux