On Wed, Jul 04, 2018 at 07:49:38PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Wed, Jul 04, 2018 at 07:34:54PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Jun 28, 2018 at 01:34:42PM +0200, Máté Eckl wrote:
> > > > This patch fixes a silent out-of-bound read possibility that was present
> > > > because of the misuse of this function.
> > > >
> > > > Mostly it was called with a struct udphdr *hp which had only the udphdr
> > > > part linearized by the skb_header_pointer, however
> > > > nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
> > > > tcp specific attributes may be invalid.
> > >
> > > Applied, thanks.
> >
> > Wait, I think this may break UDP traffic over tproxy.
> >
> > If we get a UDP packet whose header + payload is smaller than the TCP
> > header, this will break things.
>
> Indeed, good catch. This will need to indicate l4 protocol as arg
> to tell skb_header_pointer the correct l4 header size.
I'll take care of this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
