Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c022960c authored by Florian Westphal's avatar Florian Westphal Committed by Greg Kroah-Hartman
Browse files

netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state 



commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
that has an un-initialized timeout value, i.e. such entry could be
reaped at any time.

Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
an old state.

Reported-by: default avatar <syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 966e597e

net/netfilter/nf_conntrack_proto_dccp.c

+4 −4
Original line number Diff line number Diff line
@@ -244,14 +244,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = 
		 * We currently ignore Sync packets

		 *

		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */

			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

		},

		[DCCP_PKT_SYNCACK] = {

		/*

		 * We currently ignore SyncAck packets

		 *

		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */

			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

		},

	},

	[CT_DCCP_ROLE_SERVER] = {
@@ -372,14 +372,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = 
		 * We currently ignore Sync packets

		 *

		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */

			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

		},

		[DCCP_PKT_SYNCACK] = {

		/*

		 * We currently ignore SyncAck packets

		 *

		 *	sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */

			sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

			sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,

		},

	},

};