[PATCH 2.4] netfilter ip_conntrack_irc parser fix

From: Harald Welte (laforge@netfilter.org)
Date: Fri Jul 25 2003 - 15:50:55 EST

Next message: Harald Welte: "[PATCH 2.4] netfilter policy routing fixes"
Previous message: David S. Miller: "Re: [PATCH 2.4] netfilter ipt_REJECT: Add RFC1812 ICMP_PKT_FILTERED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dave!

This is the 3rd of a set of bugfixes (all tested against 2.4.22-pre7).
You might need to apply them incrementally (didn't test it in a
different order). You will receive 2.6 merges of those patches soon.

Author: Harald Welte <laforge@netfilter.org>

This patch fixes a bug in the IRC DCC command parser of ip_conntrack_irc

Please apply,

--- linux/net/ipv4/netfilter/ip_conntrack_irc.c.orig Wed May 7 12:13:55 2003
+++ linux/net/ipv4/netfilter/ip_conntrack_irc.c Wed May 7 13:16:00 2003
@@ -59,7 +59,7 @@
         {"TSEND ", 6},
         {"SCHAT ", 6}
};
-#define MAXMATCHLEN 6
+#define MINMATCHLEN 5

DECLARE_LOCK(ip_irc_lock);
struct module *ip_conntrack_irc = THIS_MODULE;
@@ -92,9 +92,11 @@
         *ip = simple_strtoul(data, &data, 10);

         /* skip blanks between ip and port */
- while (*data == ' ')
+ while (*data == ' ') {
+ if (data >= data_end)
+ return -1;
                 data++;
-
+ }

         *port = simple_strtoul(data, &data, 10);
         *ad_end_p = data;
@@ -153,13 +155,17 @@
         }

         data_limit = (char *) data + datalen;
- while (data < (data_limit - (22 + MAXMATCHLEN))) {
+
+ /* strlen("\1DCC SEND t AAAAAAAA P\1\n")=24
+ * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
+ while (data < (data_limit - (19 + MINMATCHLEN))) {
                 if (memcmp(data, "\1DCC ", 5)) {
                         data++;
                         continue;
                 }

                 data += 5;
+ /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */

                 DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n",
                         NIPQUAD(iph->saddr), ntohs(tcph->source),
@@ -174,6 +180,9 @@

                         DEBUGP("DCC %s detected\n", dccprotos[i].match);
                         data += dccprotos[i].matchlen;
+ /* we have at least
+ * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
+ * data left (== 14/13 bytes) */
                         if (parse_dcc((char *) data, data_limit, &dcc_ip,
                                        &dcc_port, &addr_beg_p, &addr_end_p)) {
                                 /* unable to parse */

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

application/pgp-signature attachment: stored

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Harald Welte: "[PATCH 2.4] netfilter policy routing fixes"
Previous message: David S. Miller: "Re: [PATCH 2.4] netfilter ipt_REJECT: Add RFC1812 ICMP_PKT_FILTERED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Jul 31 2003 - 22:00:27 EST