From patchwork Sat May 16 18:50:46 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 473080
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 27A0A140B04
	for <incoming@patchwork.ozlabs.org>;
	Sun, 17 May 2015 04:46:13 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753653AbbEPSqL (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 16 May 2015 14:46:11 -0400
Received: from mail.us.es ([193.147.175.20]:43081 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751643AbbEPSqK (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Sat, 16 May 2015 14:46:10 -0400
Received: (qmail 1066 invoked from network); 16 May 2015 20:46:08 +0200
Received: from unknown (HELO us.es) (192.168.2.16)
	by us.es with SMTP; 16 May 2015 20:46:08 +0200
Received: (qmail 26333 invoked by uid 507); 16 May 2015 18:46:08 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus6 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.98.7/20472. spamassassin: 3.4.0.  
	Clear:RC:1(127.0.0.1):SA:0(-103.2/7.5):.
	Processed in 1.974792 secs); 16 May 2015 18:46:08 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on antivirus6
X-Spam-Level: 
X-Spam-Status: No, score=-103.2 required=7.5 tests=BAYES_50,SMTPAUTH_US,
	USER_IN_WHITELIST autolearn=disabled version=3.4.0
X-Spam-ASN: AS12715 87.216.0.0/16
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus6) (127.0.0.1)
	by us.es with SMTP; 16 May 2015 18:46:06 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus6 (F-Secure/fsigk_smtp/412/antivirus6);
	Sat, 16 May 2015 20:46:06 +0200 (CEST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus6)
Received: (qmail 17011 invoked from network); 16 May 2015 20:46:06 +0200
Received: from 77.166.216.87.static.jazztel.es (HELO salvia.here)
	(pneira@us.es@87.216.166.77)
	by mail.us.es with SMTP; 16 May 2015 20:46:06 +0200
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: stable@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH -stable] netfilter: Zero the tuple in
	nfnl_cthelper_parse_tuple()
Date: Sat, 16 May 2015 20:50:46 +0200
Message-Id: <1431802251-4781-2-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1431802251-4781-1-git-send-email-pablo@netfilter.org>
References: <1431802251-4781-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Ian Wilson <iwilson@brocade.com>

[ upstream commit 78146572b9cd20452da47951812f35b1ad4906be ]

nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
nfnl_cthelper_get() and nfnl_cthelper_del().  In each case they pass
a pointer to an nf_conntrack_tuple data structure local variable:

    struct nf_conntrack_tuple tuple;
    ...
    ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);

The problem is that this local variable is not initialized, and
nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
dst.protonum.  This leaves all other fields with undefined values
based on whatever is on the stack:

    tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
    tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);

The symptom observed was that when the rpc and tns helpers were added
then traffic to port 1536 was being sent to user-space.

Cc: <stable@vger.kernel.org> # 3.10.x
Cc: <stable@vger.kernel.org> # 3.12.x
Cc: <stable@vger.kernel.org> # 3.14.x
Cc: <stable@vger.kernel.org> # 3.18.x
Cc: <stable@vger.kernel.org> # 3.19.x
Signed-off-by: Ian Wilson <iwilson@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_cthelper.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index a5599fc..54330fb 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -77,6 +77,9 @@ nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
 	if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
 		return -EINVAL;
 
+	/* Not all fields are initialized so first zero the tuple */
+	memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
+
 	tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
 	tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);