Patchwork netfilter: default to NF_DROP in sip_help_tcp()

login
register
mail settings
Submitter Simon Horman
Date July 10, 2010, 3:16 a.m.
Message ID <20100710031604.GA26990@verge.net.au>
Download mbox | patch
Permalink /patch/58458/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Simon Horman - July 10, 2010, 3:16 a.m.
I initially noticed this because of the compiler warning below, but it does
seem to be a valid concern in the case where ct_sip_get_header() returns 0
in the first iteration of the while loop.

net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function

Signed-off-by: Simon Horman <horms@verge.net.au>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Patrick McHardy - July 14, 2010, 12:23 p.m.
On 10.07.2010 05:16, Simon Horman wrote:
> I initially noticed this because of the compiler warning below, but it does
> seem to be a valid concern in the case where ct_sip_get_header() returns 0
> in the first iteration of the while loop.
> 
> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function

Thanks Simon. I've applied the patch, but changed NF_DROP to
NF_ACCEPT since we should avoid dropping packets with unknown
contents (not SIP) if possible.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Simon Horman - July 14, 2010, 12:38 p.m.
On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> On 10.07.2010 05:16, Simon Horman wrote:
> > I initially noticed this because of the compiler warning below, but it does
> > seem to be a valid concern in the case where ct_sip_get_header() returns 0
> > in the first iteration of the while loop.
> > 
> > net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> > net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> 
> Thanks Simon. I've applied the patch, but changed NF_DROP to
> NF_ACCEPT since we should avoid dropping packets with unknown
> contents (not SIP) if possible.

Thanks, to be honest I was a bit unsure of what policy was best.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Simon Horman - Aug. 4, 2010, 8:07 a.m.
On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> On 10.07.2010 05:16, Simon Horman wrote:
> > I initially noticed this because of the compiler warning below, but it does
> > seem to be a valid concern in the case where ct_sip_get_header() returns 0
> > in the first iteration of the while loop.
> > 
> > net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> > net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> 
> Thanks Simon. I've applied the patch, but changed NF_DROP to
> NF_ACCEPT since we should avoid dropping packets with unknown
> contents (not SIP) if possible.

Hi Patrick,

I'm not seeing this patch in nf-next-2.6.
Am I looking in the wrong place?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Patrick McHardy - Aug. 4, 2010, 4:10 p.m.
Am 04.08.2010 10:07, schrieb Simon Horman:
> On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
>> On 10.07.2010 05:16, Simon Horman wrote:
>>> I initially noticed this because of the compiler warning below, but it does
>>> seem to be a valid concern in the case where ct_sip_get_header() returns 0
>>> in the first iteration of the while loop.
>>>
>>> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
>>> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
>>
>> Thanks Simon. I've applied the patch, but changed NF_DROP to
>> NF_ACCEPT since we should avoid dropping packets with unknown
>> contents (not SIP) if possible.
> 
> Hi Patrick,
> 
> I'm not seeing this patch in nf-next-2.6.
> Am I looking in the wrong place?

I was struggling with some file system corruption and didn't manage
to send it out in time, sorry. I'll include it in the next batch of
patches for .36 and will also push it to -stable.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Simon Horman - Aug. 5, 2010, 12:34 a.m.
On Wed, Aug 04, 2010 at 06:10:42PM +0200, Patrick McHardy wrote:
> Am 04.08.2010 10:07, schrieb Simon Horman:
> > On Wed, Jul 14, 2010 at 02:23:01PM +0200, Patrick McHardy wrote:
> >> On 10.07.2010 05:16, Simon Horman wrote:
> >>> I initially noticed this because of the compiler warning below, but it does
> >>> seem to be a valid concern in the case where ct_sip_get_header() returns 0
> >>> in the first iteration of the while loop.
> >>>
> >>> net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
> >>> net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function
> >>
> >> Thanks Simon. I've applied the patch, but changed NF_DROP to
> >> NF_ACCEPT since we should avoid dropping packets with unknown
> >> contents (not SIP) if possible.
> > 
> > Hi Patrick,
> > 
> > I'm not seeing this patch in nf-next-2.6.
> > Am I looking in the wrong place?
> 
> I was struggling with some file system corruption and didn't manage
> to send it out in time, sorry. I'll include it in the next batch of
> patches for .36 and will also push it to -stable.

Thanks, I'm happy so long as it makes it eventually.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

Index: nf-next-2.6/net/netfilter/nf_conntrack_sip.c
===================================================================
--- nf-next-2.6.orig/net/netfilter/nf_conntrack_sip.c	2010-07-10 12:11:52.000000000 +0900
+++ nf-next-2.6/net/netfilter/nf_conntrack_sip.c	2010-07-10 12:11:57.000000000 +0900
@@ -1376,7 +1376,7 @@  static int sip_help_tcp(struct sk_buff *
 	unsigned int msglen, origlen;
 	const char *dptr, *end;
 	s16 diff, tdiff = 0;
-	int ret;
+	int ret = NF_DROP;
 	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
 	if (ctinfo != IP_CT_ESTABLISHED &&