From patchwork Mon Apr 9 22:42:47 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 151490 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5A9D4B6FFB for ; Tue, 10 Apr 2012 08:43:03 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758093Ab2DIWmz (ORCPT ); Mon, 9 Apr 2012 18:42:55 -0400 Received: from mail.us.es ([193.147.175.20]:58663 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758092Ab2DIWmx (ORCPT ); Mon, 9 Apr 2012 18:42:53 -0400 Received: (qmail 20171 invoked from network); 10 Apr 2012 00:42:51 +0200 Received: from unknown (HELO us.es) (192.168.2.12) by us.es with SMTP; 10 Apr 2012 00:42:51 +0200 Received: (qmail 23126 invoked by uid 507); 9 Apr 2012 22:42:47 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on antivirus2 X-Spam-Level: X-Spam-Status: No, score=-99.2 required=7.5 tests=BAYES_50,SPF_HELO_FAIL, USER_IN_WHITELIST autolearn=disabled version=3.3.1 Received: from 127.0.0.1 by antivirus2 (envelope-from , uid 501) with qmail-scanner-2.08 (clamdscan: 0.97.4/14763. Clear:RC:1(127.0.0.1):. Processed in 0.065274 secs); 09 Apr 2012 22:42:47 -0000 Received: from unknown (HELO antivirus2) (127.0.0.1) by us.es with SMTP; 9 Apr 2012 22:42:47 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus2 (F-Secure/fsigk_smtp/407/antivirus2); Tue, 10 Apr 2012 00:42:47 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus2) Received: (qmail 19676 invoked from network); 10 Apr 2012 00:42:47 +0200 Received: from 1984.lsi.us.es (HELO us.es) (1984lsi@150.214.188.80) by us.es with AES128-SHA encrypted SMTP; 10 Apr 2012 00:42:47 +0200 Date: Tue, 10 Apr 2012 00:42:47 +0200 From: Pablo Neira Ayuso To: Jozsef Kadlecsik Cc: Netfilter Development Mailing list Subject: Re: [PATCH 0/2] Handle invalid packets in conntrack consistently Message-ID: <20120409224247.GA27514@1984> References: <1333724253-32261-1-git-send-email-kadlec@blackhole.kfki.hu> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1333724253-32261-1-git-send-email-kadlec@blackhole.kfki.hu> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Hi Jozsef, On Fri, Apr 06, 2012 at 04:57:31PM +0200, Jozsef Kadlecsik wrote: > Hi Pablo, > > As it was discussed, at the moment conntrack handles invalid packets > differently: IPv6 conntrack marks the packets as INVALID and lets > the user to drop them by an explicit rule, while IPv4 conntrack > simply drops such packets. > > The next two patches bring conntrack in sync by changing IPv4 conntrack > behaviour to follow IPv6 conntrack. Invalid packet logging support is > also added. > > The patches are follow-up of the second version of the patch I sent on > Tuesday, with the cover letter subject "Drop malformed IPv4 packets in > conntrack, 2nd try". If you don't mind, I'll submit the following reworked patches. Basically, it initially fixes the inconsistency in the handling of bad packets between IPv4 and IPv6, then the packets with wrong ihl. I have left the change to add logging out, I think that belongs to net-next. I'll recover that once I start collecting patches for it (that will happen along this week). I have kept you as author, they are basically yours with little changes, I hope that you don't mind. From 22c6a3f87f4c36866269af66f26dd640ff2adc16 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 3 Apr 2012 22:02:01 +0200 Subject: [PATCH 2/2] netfilter: nf_ct_ipv4: packets with wrong ihl are invalid It was reported that the Linux kernel sometimes logs: klogd: [2629147.402413] kernel BUG at net / netfilter / nf_conntrack_proto_tcp.c: 447! klogd: [1072212.887368] kernel BUG at net / netfilter / nf_conntrack_proto_tcp.c: 392 ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in nf_conntrack_proto_tcp.c should catch malformed packets, so the errors at the indicated lines - TCP options parsing - should not happen. However, tcp_error() relies on the "dataoff" offset to the TCP header, calculated by ipv4_get_l4proto(). But ipv4_get_l4proto() does not check bogus ihl values in IPv4 packets, which then can slip through tcp_error() and get caught at the TCP options parsing routines. The patch fixes ipv4_get_l4proto() by dropping packets with bogus ihl value. The patch closes netfilter bugzilla id 771. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 750b06a..7437832 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -84,6 +84,14 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, *dataoff = nhoff + (iph->ihl << 2); *protonum = iph->protocol; + /* Check bogus IP headers */ + if (*dataoff > skb->len) { + pr_debug("nf_conntrack_ipv4: drop bogus IPv4 packet: " + "nhoff %u, ihl %u, skblen %u\n", + nhoff, iph->ihl << 2, skb->len); + return -NF_ACCEPT; + } + return NF_ACCEPT; } -- 1.7.2.5