Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5711b4e8 authored by Máté Eckl's avatar Máté Eckl Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tproxy: fix possible non-linear access to transport header 



This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.

Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific attributes may be invalid.

Fixes: a583636a ("inet: refactor inet[6]_lookup functions to take skb")
Signed-off-by: default avatarMáté Eckl <ecklm94@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d376bef9

include/net/netfilter/nf_tproxy.h

+2 −2
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, 
 * belonging to established connections going through that one.

 */

struct sock *

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,

		      const u8 protocol,

		      const __be32 saddr, const __be32 daddr,

		      const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, 
			    struct sock *sk);



struct sock *

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp,

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,

		      const u8 protocol,

		      const struct in6_addr *saddr, const struct in6_addr *daddr,

		      const __be16 sport, const __be16 dport,

net/ipv4/netfilter/nf_tproxy_ipv4.c

+12 −6
Original line number Diff line number Diff line
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, 
		 * to a listener socket if there's one */

		struct sock *sk2;



		sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,

		sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,

					    iph->saddr, laddr ? laddr : iph->daddr,

					    hp->source, lport ? lport : hp->dest,

					    skb->dev, NF_TPROXY_LOOKUP_LISTENER);
@@ -71,7 +71,7 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr) 
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);



struct sock *

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,

		      const u8 protocol,

		      const __be32 saddr, const __be32 daddr,

		      const __be16 sport, const __be16 dport,
@@ -79,16 +79,21 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp, 
		      const enum nf_tproxy_lookup_t lookup_type)

{

	struct sock *sk;

	struct tcphdr *tcph;



	switch (protocol) {

	case IPPROTO_TCP:

	case IPPROTO_TCP: {

		struct tcphdr _hdr, *hp;



		hp = skb_header_pointer(skb, ip_hdrlen(skb),

					sizeof(struct tcphdr), &_hdr);

		if (hp == NULL)

			return NULL;



		switch (lookup_type) {

		case NF_TPROXY_LOOKUP_LISTENER:

			tcph = hp;

			sk = inet_lookup_listener(net, &tcp_hashinfo, skb,

						    ip_hdrlen(skb) +

						      __tcp_hdrlen(tcph),

						      __tcp_hdrlen(hp),

						    saddr, sport,

						    daddr, dport,

						    in->ifindex, 0);
@@ -110,6 +115,7 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp, 
			BUG();

		}

		break;

		}

	case IPPROTO_UDP:

		sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,

				     in->ifindex);

net/ipv6/netfilter/nf_tproxy_ipv6.c

+12 −6
Original line number Diff line number Diff line
@@ -55,7 +55,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, 
		 * to a listener socket if there's one */

		struct sock *sk2;



		sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, hp, tproto,

		sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, tproto,

					    &iph->saddr,

					    nf_tproxy_laddr6(skb, laddr, &iph->daddr),

					    hp->source,
@@ -72,7 +72,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, 
EXPORT_SYMBOL_GPL(nf_tproxy_handle_time_wait6);



struct sock *

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp,

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,

		      const u8 protocol,

		      const struct in6_addr *saddr, const struct in6_addr *daddr,

		      const __be16 sport, const __be16 dport,
@@ -80,15 +80,20 @@ nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp, 
		      const enum nf_tproxy_lookup_t lookup_type)

{

	struct sock *sk;

	struct tcphdr *tcph;



	switch (protocol) {

	case IPPROTO_TCP:

	case IPPROTO_TCP: {

		struct tcphdr _hdr, *hp;



		hp = skb_header_pointer(skb, thoff,

					sizeof(struct tcphdr), &_hdr);

		if (hp == NULL)

			return NULL;



		switch (lookup_type) {

		case NF_TPROXY_LOOKUP_LISTENER:

			tcph = hp;

			sk = inet6_lookup_listener(net, &tcp_hashinfo, skb,

						   thoff + __tcp_hdrlen(tcph),

						   thoff + __tcp_hdrlen(hp),

						   saddr, sport,

						   daddr, ntohs(dport),

						   in->ifindex, 0);
@@ -110,6 +115,7 @@ nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp, 
			BUG();

		}

		break;

		}

	case IPPROTO_UDP:

		sk = udp6_lib_lookup(net, saddr, sport, daddr, dport,

				     in->ifindex);

net/netfilter/xt_TPROXY.c

+4 −4
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ tproxy_tg4(struct net *net, struct sk_buff *skb, __be32 laddr, __be16 lport, 
	 * addresses, this happens if the redirect already happened

	 * and the current packet belongs to an already established

	 * connection */

	sk = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,

	sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,

				   iph->saddr, iph->daddr,

				   hp->source, hp->dest,

				   skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
@@ -77,7 +77,7 @@ tproxy_tg4(struct net *net, struct sk_buff *skb, __be32 laddr, __be16 lport, 
	else if (!sk)

		/* no, there's no established connection, check if

		 * there's a listener on the redirected addr/port */

		sk = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,

		sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,

					   iph->saddr, laddr,

					   hp->source, lport,

					   skb->dev, NF_TPROXY_LOOKUP_LISTENER);
@@ -150,7 +150,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par) 
	 * addresses, this happens if the redirect already happened

	 * and the current packet belongs to an already established

	 * connection */

	sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, hp, tproto,

	sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, tproto,

				   &iph->saddr, &iph->daddr,

				   hp->source, hp->dest,

				   xt_in(par), NF_TPROXY_LOOKUP_ESTABLISHED);
@@ -171,7 +171,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par) 
	else if (!sk)

		/* no there's no established connection, check if

		 * there's a listener on the redirected addr/port */

		sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, hp,

		sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff,

					   tproto, &iph->saddr, laddr,

					   hp->source, lport,

					   xt_in(par), NF_TPROXY_LOOKUP_LISTENER);