From patchwork Mon Jan 21 11:53:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Fernando F. Mancera" X-Patchwork-Id: 1028613 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=riseup.net Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=riseup.net header.i=@riseup.net header.b="Yxkz/ISX"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43jqh91wp9z9s7h for ; Mon, 21 Jan 2019 22:53:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728195AbfAULxo (ORCPT ); Mon, 21 Jan 2019 06:53:44 -0500 Received: from mx1.riseup.net ([198.252.153.129]:45638 "EHLO mx1.riseup.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727909AbfAULxn (ORCPT ); Mon, 21 Jan 2019 06:53:43 -0500 Received: from piha.riseup.net (piha-pn.riseup.net [10.0.1.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id EE2C31A04B4 for ; Mon, 21 Jan 2019 03:53:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1548071623; bh=F/GMCdgqco3beVTBomAYzNkHKmZ3Ss8u2ne6LicG32c=; h=From:To:Cc:Subject:Date:From; b=Yxkz/ISXSc5Ii97KWxHxM1jMVxYDi4RFFl1q7cQXi7BHXqpjxRy2k/ekRqHDWbMPv gBF/xLtdMIcOyvfMB9o5E5P6RfOjHJWPNE5LgJjDSNNzMMO30rAGOCp2u+idysqMyp S/IPSeQNck6aRo2ks8oADQBNk4bEbLHWnWl9ESRo= X-Riseup-User-ID: E02071F0DC012E535D6F5BA017EBD8EC553683DB827892EC8E6374008F370C3A Received: from [127.0.0.1] (localhost [127.0.0.1]) by piha.riseup.net with ESMTPSA id 222C51C2F0A; Mon, 21 Jan 2019 03:53:41 -0800 (PST) From: Fernando Fernandez Mancera To: netfilter-devel@vger.kernel.org Cc: Fernando Fernandez Mancera Subject: [PATCH nf-next v2] netfilter: nfnetlink_osf: add missing fmatch check Date: Mon, 21 Jan 2019 12:53:21 +0100 Message-Id: <20190121115321.1091-1-ffmancera@riseup.net> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When we check the tcp options of a packet and it doesn't match the current fingerprint, the tcp packet option pointer must be restored to its initial value in order to do the proper tcp options check for the next fingerprint. Here we can see an example. Assumming the following fingerprint base with two lines: S10:64:1:60:M*,S,T,N,W6: Linux:3.0::Linux 3.0 S20:64:1:60:M*,S,T,N,W7: Linux:4.19:arch:Linux 4.1 Where TCP options are the last field in the OS signature, all of them overlap except by the last one, ie. 'W6' versus 'W7'. In case a packet for Linux 4.19 kicks in, the osf finds no matching because the TCP options pointer is updated after checking for the TCP options in the first line. Therefore, reset pointer back to where it should be. Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: changes in the commit message --- net/netfilter/nfnetlink_osf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c index 6f41dd74729d..1f1d90c1716b 100644 --- a/net/netfilter/nfnetlink_osf.c +++ b/net/netfilter/nfnetlink_osf.c @@ -66,6 +66,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb, int ttl_check, struct nf_osf_hdr_ctx *ctx) { + const __u8 *optpinit = ctx->optp; unsigned int check_WSS = 0; int fmatch = FMATCH_WRONG; int foptsize, optnum; @@ -155,6 +156,9 @@ static bool nf_osf_match_one(const struct sk_buff *skb, } } + if (fmatch != FMATCH_OK) + ctx->optp = optpinit; + return fmatch == FMATCH_OK; }