From patchwork Fri Jan  8 16:42:12 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Patrick McHardy <kaber@trash.net>
X-Patchwork-Id: 42523
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 1E7B9B6F17
	for <patchwork-incoming@ozlabs.org>;
	Sat,  9 Jan 2010 03:42:34 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754020Ab0AHQmZ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 8 Jan 2010 11:42:25 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754016Ab0AHQmY
	(ORCPT <rfc822;netdev-outgoing>); Fri, 8 Jan 2010 11:42:24 -0500
Received: from stinky.trash.net ([213.144.137.162]:35878 "EHLO
	stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753977Ab0AHQmN (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 8 Jan 2010 11:42:13 -0500
Received: from x2.localnet (localhost [127.0.0.1])
	by stinky.trash.net (Postfix) with ESMTP id 084D9B2C6E;
	Fri,  8 Jan 2010 17:42:12 +0100 (MET)
From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
	netfilter-devel@vger.kernel.org
Message-Id: <20100108164208.28066.62669.sendpatchset@x2.localnet>
In-Reply-To: <20100108164204.28066.44430.sendpatchset@x2.localnet>
References: <20100108164204.28066.44430.sendpatchset@x2.localnet>
Subject: netfilter 03/04: nf_ct_ftp: fix out of bounds read in
	update_nl_seq()
Date: Fri,  8 Jan 2010 17:42:12 +0100 (MET)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

commit aaff23a95aea5f000895f50d90e91f1e2f727002
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Jan 7 18:33:18 2010 +0100

    netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()
    
    As noticed by Dan Carpenter <error27@gmail.com>, update_nl_seq()
    currently contains an out of bounds read of the seq_aft_nl array
    when looking for the oldest sequence number position.
    
    Fix it to only compare valid positions.
    
    Cc: stable@kernel.org
    Signed-off-by: Patrick McHardy <kaber@trash.net>
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 38ea7ef..f0732aa 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -323,24 +323,24 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
 			  struct nf_ct_ftp_master *info, int dir,
 			  struct sk_buff *skb)
 {
-	unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
+	unsigned int i, oldest;
 
 	/* Look for oldest: if we find exact match, we're done. */
 	for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
 		if (info->seq_aft_nl[dir][i] == nl_seq)
 			return;
-
-		if (oldest == info->seq_aft_nl_num[dir] ||
-		    before(info->seq_aft_nl[dir][i],
-			   info->seq_aft_nl[dir][oldest]))
-			oldest = i;
 	}
 
 	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
 		info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-	} else if (oldest != NUM_SEQ_TO_REMEMBER &&
-		   after(nl_seq, info->seq_aft_nl[dir][oldest])) {
-		info->seq_aft_nl[dir][oldest] = nl_seq;
+	} else {
+		if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1]))
+			oldest = 0;
+		else
+			oldest = 1;
+
+		if (after(nl_seq, info->seq_aft_nl[dir][oldest]))
+			info->seq_aft_nl[dir][oldest] = nl_seq;
 	}
 }