From patchwork Mon May 6 23:05:26 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 241823 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 1CEA52C00BF for ; Tue, 7 May 2013 09:06:13 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759796Ab3EFXGG (ORCPT ); Mon, 6 May 2013 19:06:06 -0400 Received: from mail.us.es ([193.147.175.20]:52143 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759801Ab3EFXGC (ORCPT ); Mon, 6 May 2013 19:06:02 -0400 Received: (qmail 9472 invoked from network); 7 May 2013 01:06:01 +0200 Received: from unknown (HELO us.es) (192.168.2.12) by us.es with SMTP; 7 May 2013 01:06:01 +0200 Received: (qmail 32254 invoked by uid 507); 6 May 2013 23:06:01 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus2 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.97.7/17160. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-97.2/7.5):. Processed in 12.722872 secs); 06 May 2013 23:06:01 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus2 X-Spam-Level: X-Spam-Status: No, score=-97.2 required=7.5 tests=BAYES_50,RCVD_IN_PBL, RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus2) (127.0.0.1) by us.es with SMTP; 6 May 2013 23:05:48 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus2 (F-Secure/fsigk_smtp/407/antivirus2); Tue, 07 May 2013 01:05:48 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus2) Received: (qmail 10727 invoked from network); 7 May 2013 01:05:48 +0200 Received: from 160.86.78.188.dynamic.jazztel.es (HELO localhost.localdomain) (pneira@us.es@188.78.86.160) by us.es with SMTP; 7 May 2013 01:05:48 +0200 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: stable@vger.kernel.org, davem@davemloft.net Subject: [-stable-3.8.y 7/9] netfilter: ctnetlink: don't permit ct creation with random tuple Date: Tue, 7 May 2013 01:05:26 +0200 Message-Id: <1367881528-15524-7-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1367881528-15524-1-git-send-email-pablo@netfilter.org> References: <1367881528-15524-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Florian Westphal Userspace can cause kernel panic by not specifying orig/reply tuple: kernel will create a tuple with random stack values. Problem is that tuple.dst.dir will be random, too, which causes nf_ct_tuplehash_to_ctrack() to return garbage. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso [ git cherry-pick 442fad9 ] --- net/netfilter/nf_conntrack_netlink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 627b0e5..a081915 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1705,6 +1705,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, if (nlh->nlmsg_flags & NLM_F_CREATE) { enum ip_conntrack_events events; + if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) + return -EINVAL; + ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, &rtuple, u3); if (IS_ERR(ct))