[PATCH] netfilter: xt_u32: Accept negative offset in AT operation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Remove unnecessary uint wraparound checks which prohibited two's
complement representation of negative number in "@" operation.
It is required to test last N bytes of variable length formats and to be
consistent with libxt parser which silently replaces negative number by
its compliment.

For example, --u32 '0&0xFFFF@-4=0' will read IPv4 total length header
then add complement of -4 to test if the last 4 bytes are 0. Previously,
it would never match as (total length)+0xFFFFFFFC always overflow.

Signed-off-by: Takero Funaki <raphanus@xxxxxxxxx>
---
 net/netfilter/xt_u32.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index a95b5034..9de339d 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -57,12 +57,12 @@ static bool u32_match_it(const struct xt_u32 *data,
 				val >>= number;
 				break;
 			case XT_U32_AT:
-				if (at + val < at)
-					return false;
 				at += val;
 				pos = number;
-				if (at + 4 < at || skb->len < at + 4 ||
-				    pos > skb->len - at - 4)
+				/* unsigned integer may wraparound
+				 * to represent negative offset
+				 */
+				if (at + pos > skb->len - 4)
 					return false;
 
 				if (skb_copy_bits(skb, at + pos, &n,
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux