On Tue, Mar 10, 2015 at 07:14:24PM +0800, Zhiqiang Zhang wrote: > From: Florian Westphal <fw@xxxxxxxxx> > > commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream > > Given following iptables ruleset: > > -P FORWARD DROP > -A FORWARD -m sctp --dport 9 -j ACCEPT > -A FORWARD -p tcp --dport 80 -j ACCEPT > -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT > > One would assume that this allows SCTP on port 9 and TCP on port 80. > Unfortunately, if the SCTP conntrack module is not loaded, this allows > *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, > which we think is a security issue. > > This is because on the first SCTP packet on port 9, we create a dummy > "generic l4" conntrack entry without any port information (since > conntrack doesn't know how to extract this information). > > All subsequent packets that are unknown will then be in established > state since they will fallback to proto_generic and will match the > 'generic' entry. > > Our originally proposed version [1] completely disabled generic protocol > tracking, but Jozsef suggests to not track protocols for which a more > suitable helper is available, hence we now mitigate the issue for in > tree known ct protocol helpers only, so that at least NAT and direction > information will still be preserved for others. > > [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html > > Joint work with Daniel Borkmann. > > Fixes CVE-2014-8160. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx> > Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@xxxxxxxxxx> > --- > net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) What stable kernel(s) do you want this applied to? Please always include this information, otherwise I have no idea. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html