From patchwork Wed Feb 13 20:38:31 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 220244
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 0CBAF2C008C
	for <patchwork-incoming@ozlabs.org>;
	Thu, 14 Feb 2013 07:39:10 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934432Ab3BMUio (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 13 Feb 2013 15:38:44 -0500
Received: from slan-550-85.anhosting.com ([209.236.71.68]:65067 "EHLO
	slan-550-85.anhosting.com" rhost-flags-OK-OK-OK-OK) by
	vger.kernel.org with ESMTP id S934374Ab3BMUim (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Feb 2013 15:38:42 -0500
Received: from dslb-088-075-075-000.pools.arcor-ip.net ([88.75.75.0]:50694
	helo=localhost.localdomain)
	by slan-550-85.anhosting.com with esmtpa (Exim 4.80)
	(envelope-from <pablo@netfilter.org>)
	id 1U5j6G-000eY3-V6; Wed, 13 Feb 2013 13:38:41 -0700
From: pablo@netfilter.org
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 1/3] netfilter: ctnetlink: don't permit ct creation with
	random tuple
Date: Wed, 13 Feb 2013 21:38:31 +0100
Message-Id: <1360787913-10335-2-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1360787913-10335-1-git-send-email-pablo@netfilter.org>
References: <1360787913-10335-1-git-send-email-pablo@netfilter.org>
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - slan-550-85.anhosting.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - netfilter.org
X-Get-Message-Sender-Via: slan-550-85.anhosting.com: authenticated_id:
	p@60rpm.tv
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

Userspace can cause kernel panic by not specifying orig/reply
tuple: kernel will create a tuple with random stack values.

Problem is that tuple.dst.dir will be random, too, which
causes nf_ct_tuplehash_to_ctrack() to return garbage.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
---
 net/netfilter/nf_conntrack_netlink.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 627b0e5..a081915 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1705,6 +1705,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 		if (nlh->nlmsg_flags & NLM_F_CREATE) {
 			enum ip_conntrack_events events;
 
+			if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
+				return -EINVAL;
+
 			ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
 							&rtuple, u3);
 			if (IS_ERR(ct))