Don't leak the kernel pointer to userspace by adding a random seed. If
you want a unique conntrack ID, used the new CTA_ID64 attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nf_conntrack_netlink.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7aecb8ae5ecc..9a3357eeecdc 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -60,6 +60,7 @@
MODULE_LICENSE("GPL");
static char __initdata version[] = "0.93";
+static u32 nf_ct_seed __read_mostly;
static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple,
@@ -444,9 +445,19 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
return -1;
}
+static u32 nf_ct_id32(const struct nf_conn *ct)
+{
+ u32 id = (u32)(unsigned long)ct;
+
+ if (!nf_ct_seed)
+ nf_ct_seed = get_random_u32();
+
+ return id + nf_ct_seed;
+}
+
static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
{
- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)) ||
+ if (nla_put_be32(skb, CTA_ID, htonl(nf_ct_id32(ct))) ||
nla_put_be64(skb, CTA_ID64, cpu_to_be64(nf_ct_id(ct)), CTA_PAD))
goto nla_put_failure;
return 0;
@@ -1173,7 +1184,7 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
if (cda[CTA_ID]) {
u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
- if (id != (u32)(unsigned long)ct) {
+ if (id != nf_ct_id32(ct)) {
nf_ct_put(ct);
return -ENOENT;
}
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
