Patchwork netfilter: fix out-of-bounds access in nat addr selection

login
register
mail settings
Submitter Florian Westphal
Date Sept. 5, 2012, 8:10 p.m.
Message ID <1346875828-14054-1-git-send-email-fw@strlen.de>
Download mbox | patch
Permalink /patch/181943/
State Accepted
Headers show

Comments

Florian Westphal - Sept. 5, 2012, 8:10 p.m.
include/linux/jhash.h:138:16: warning: array subscript is above array bounds
[jhash2() expects the number of u32 in the key]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
Only affects -next.
note that I also get same warning for hash_by_src(); but
hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32),
	      tuple->dst.protonum ^ zone ^ nf_conntrack_hash_rnd);
looks correct to me.
Pablo Neira - Sept. 10, 2012, 9:14 a.m.
On Wed, Sep 05, 2012 at 10:10:28PM +0200, Florian Westphal wrote:
> include/linux/jhash.h:138:16: warning: array subscript is above array bounds
> [jhash2() expects the number of u32 in the key]

Applied to -next, thanks Florian.

> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> Only affects -next.
> note that I also get same warning for hash_by_src(); but
> hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32),
> 	      tuple->dst.protonum ^ zone ^ nf_conntrack_hash_rnd);
> looks correct to me.

It also seems correct to me, that tuple->src is 5*4 bytes long.

I'm not hitting any warning with gcc-4.7 though.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 29d4452..1816ad3 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -255,7 +255,7 @@  find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
 	 * client coming from the same IP (some Internet Banking sites
 	 * like this), even across reboots.
 	 */
-	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3),
+	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
 		   range->flags & NF_NAT_RANGE_PERSISTENT ?
 			0 : (__force u32)tuple->dst.u3.all[max] ^ zone);