Hi Zhouyi, [auto build test ERROR on nf-next/master] [also build test ERROR on v4.5-rc1 next-20160127] [if your patch is applied to the wrong git tree, please drop us a note to help improving the system] url: https://github.com/0day-ci/linux/commits/Zhouyi-Zhou/netfilter-h323-avoid-potential-attack/20160127-225253 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master config: x86_64-randconfig-x016-01270835 (attached as .config) reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All error/warnings (new ones prefixed by >>): net/netfilter/nf_conntrack_h323_main.c: In function 'get_h245_addr': >> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *') if (((p - h323_buffer) + n) > 65536) \ ^ >> net/netfilter/nf_conntrack_h323_main.c:254:2: note: in expansion of macro 'CHECK_BOUND' CHECK_BOUND(p, len); ^ net/netfilter/nf_conntrack_h323_main.c: In function 'get_h225_addr': >> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *') if (((p - h323_buffer) + n) > 65536) \ ^ net/netfilter/nf_conntrack_h323_main.c:678:2: note: in expansion of macro 'CHECK_BOUND' CHECK_BOUND(p, len); ^ vim +114 net/netfilter/nf_conntrack_h323_main.c 108 __be16 port, struct nf_conntrack_expect *exp) 109 __read_mostly; 110 111 static DEFINE_SPINLOCK(nf_h323_lock); 112 static char *h323_buffer; 113 #define CHECK_BOUND(p, n) do { \ > 114 if (((p - h323_buffer) + n) > 65536) \ 115 return 0; \ 116 } while (0) 117 118 static struct nf_conntrack_helper nf_conntrack_helper_h245; 119 static struct nf_conntrack_helper nf_conntrack_helper_q931[]; 120 static struct nf_conntrack_helper nf_conntrack_helper_ras[]; 121 122 /****************************************************************************/ 123 static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff, 124 struct nf_conn *ct, enum ip_conntrack_info ctinfo, 125 unsigned char **data, int *datalen, int *dataoff) 126 { 127 struct nf_ct_h323_master *info = nfct_help_data(ct); 128 int dir = CTINFO2DIR(ctinfo); 129 const struct tcphdr *th; 130 struct tcphdr _tcph; 131 int tcpdatalen; 132 int tcpdataoff; 133 unsigned char *tpkt; 134 int tpktlen; 135 int tpktoff; 136 137 /* Get TCP header */ 138 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); 139 if (th == NULL) 140 return 0; 141 142 /* Get TCP data offset */ 143 tcpdataoff = protoff + th->doff * 4; 144 145 /* Get TCP data length */ 146 tcpdatalen = skb->len - tcpdataoff; 147 if (tcpdatalen <= 0) /* No TCP data */ 148 goto clear_out; 149 150 if (*data == NULL) { /* first TPKT */ 151 /* Get first TPKT pointer */ 152 tpkt = skb_header_pointer(skb, tcpdataoff, tcpdatalen, 153 h323_buffer); 154 BUG_ON(tpkt == NULL); 155 156 /* Validate TPKT identifier */ 157 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) { 158 /* Netmeeting sends TPKT header and data separately */ 159 if (info->tpkt_len[dir] > 0) { 160 pr_debug("nf_ct_h323: previous packet " 161 "indicated separate TPKT data of %hu " 162 "bytes\n", info->tpkt_len[dir]); 163 if (info->tpkt_len[dir] <= tcpdatalen) { 164 /* Yes, there was a TPKT header 165 * received */ 166 *data = tpkt; 167 *datalen = info->tpkt_len[dir]; 168 *dataoff = 0; 169 goto out; 170 } 171 172 /* Fragmented TPKT */ 173 pr_debug("nf_ct_h323: fragmented TPKT\n"); 174 goto clear_out; 175 } 176 177 /* It is not even a TPKT */ 178 return 0; 179 } 180 tpktoff = 0; 181 } else { /* Next TPKT */ 182 tpktoff = *dataoff + *datalen; 183 tcpdatalen -= tpktoff; 184 if (tcpdatalen <= 4) /* No more TPKT */ 185 goto clear_out; 186 tpkt = *data + *datalen; 187 188 /* Validate TPKT identifier */ 189 if (tpkt[0] != 0x03 || tpkt[1] != 0) 190 goto clear_out; 191 } 192 193 /* Validate TPKT length */ 194 tpktlen = tpkt[2] * 256 + tpkt[3]; 195 if (tpktlen < 4) 196 goto clear_out; 197 if (tpktlen > tcpdatalen) { 198 if (tcpdatalen == 4) { /* Separate TPKT header */ 199 /* Netmeeting sends TPKT header and data separately */ 200 pr_debug("nf_ct_h323: separate TPKT header indicates " 201 "there will be TPKT data of %hu bytes\n", 202 tpktlen - 4); 203 info->tpkt_len[dir] = tpktlen - 4; 204 return 0; 205 } 206 207 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n"); 208 goto clear_out; 209 } 210 211 /* This is the encapsulated data */ 212 *data = tpkt + 4; 213 *datalen = tpktlen - 4; 214 *dataoff = tpktoff + 4; 215 216 out: 217 /* Clear TPKT length */ 218 info->tpkt_len[dir] = 0; 219 return 1; 220 221 clear_out: 222 info->tpkt_len[dir] = 0; 223 return 0; 224 } 225 226 /****************************************************************************/ 227 static int get_h245_addr(struct nf_conn *ct, const unsigned char *data, 228 H245_TransportAddress *taddr, 229 union nf_inet_addr *addr, __be16 *port) 230 { 231 const unsigned char *p; 232 int len; 233 234 if (taddr->choice != eH245_TransportAddress_unicastAddress) 235 return 0; 236 237 switch (taddr->unicastAddress.choice) { 238 case eUnicastAddress_iPAddress: 239 if (nf_ct_l3num(ct) != AF_INET) 240 return 0; 241 p = data + taddr->unicastAddress.iPAddress.network; 242 len = 4; 243 break; 244 case eUnicastAddress_iP6Address: 245 if (nf_ct_l3num(ct) != AF_INET6) 246 return 0; 247 p = data + taddr->unicastAddress.iP6Address.network; 248 len = 16; 249 break; 250 default: 251 return 0; 252 } 253 > 254 CHECK_BOUND(p, len); 255 256 memcpy(addr, p, len); 257 memset((void *)addr + len, 0, sizeof(*addr) - len); --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Attachment:
.config.gz
Description: Binary data
