Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9ec1242 authored by Tyler Wear's avatar Tyler Wear Committed by Ravinder Konka
Browse files

netfilter: Add of NATTYPE COOKIE Check 



Add NATTYPE COOKIE to avoid invalid access of NATTYPE
entry from the conntrack module. This compensates for
possible garbage values in the conntrack entry, which
would cause potential errors.

Change-Id: I1a53fa0dc6961dd3e53d382642b413d4ee781ed6
Signed-off-by: default avatarTyler Wear <twear@codeaurora.org>
Signed-off-by: default avatarDevendra Patel <cdevenp@codeaurora.org>
parent 46e38bdd

net/ipv4/netfilter/ipt_NATTYPE.c

+19 −13
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 
 * Ubicom32 implementation derived from

 * Cameo's implementation(with many thanks):

 */



#include <linux/types.h>

#include <linux/ip.h>

#include <linux/udp.h>
@@ -59,14 +60,16 @@ struct ipt_nattype { 
	struct list_head list;

	struct timer_list timeout;

	unsigned long timeout_value;

	unsigned char is_valid;

	unsigned int nattype_cookie;

	unsigned short proto;		/* Protocol: TCP or UDP */

	struct nf_nat_ipv4_range range;	/* LAN side src info*/

	struct nf_nat_ipv4_range range;	/* LAN side source information */

	unsigned short nat_port;	/* Routed NAT port */

	unsigned int dest_addr;	/* Original egress packets dst addr */

	unsigned short dest_port;/* Original egress packets destination port */

};



#define NATTYPE_COOKIE 0x11abcdef



/* TODO: It might be better to use a hash table for performance in

 * heavy traffic.

 */
@@ -105,7 +108,7 @@ bool nattype_refresh_timer(unsigned long nat_type, unsigned long timeout_value) 
	if (!nte)

		return false;

	spin_lock_bh(&nattype_lock);

	if (!nte->is_valid) {

	if (nte->nattype_cookie != NATTYPE_COOKIE) {

		spin_unlock_bh(&nattype_lock);

		return false;

	}
@@ -315,7 +318,8 @@ static unsigned int nattype_nat(struct sk_buff *skb, 
		 * Expand the ingress conntrack to include the reply as source

		 */

		DEBUGP("Expand ingress conntrack=%p, type=%d, src[%pI4:%d]\n",

			ct, ctinfo, &newrange.min_ip, ntohs(newrange.min.all));

		       ct, ctinfo, &newrange.min_ip,

		       ntohs(newrange.min.all));

		ct->nattype_entry = (unsigned long)nte;

		ret = nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);

		DEBUGP("Expand returned: %d\n", ret);
@@ -416,11 +420,13 @@ static unsigned int nattype_forward(struct sk_buff *skb, 
	 * conntrack instead of the headers.

	 */

	if (iph->protocol == IPPROTO_TCP) {

		nte->range.min.tcp.port = ((struct tcphdr *)protoh)->source;

		nte->range.min.tcp.port =

					((struct tcphdr *)protoh)->source;

		nte->range.max.tcp.port = nte->range.min.tcp.port;

		nte->dest_port = ((struct tcphdr *)protoh)->dest;

	} else if (iph->protocol == IPPROTO_UDP) {

		nte->range.min.udp.port = ((struct udphdr *)protoh)->source;

		nte->range.min.udp.port =

					((struct udphdr *)protoh)->source;

		nte->range.max.udp.port = nte->range.min.udp.port;

		nte->dest_port = ((struct udphdr *)protoh)->dest;

	}
@@ -474,7 +480,7 @@ static unsigned int nattype_forward(struct sk_buff *skb, 
	add_timer(&nte->timeout);

	list_add(&nte->list, &nattype_list);

	ct->nattype_entry = (unsigned long)nte;

	nte->is_valid = 1;

	nte->nattype_cookie = NATTYPE_COOKIE;

	spin_unlock_bh(&nattype_lock);

	nattype_nte_debug_print(nte, "ADD");

	return XT_CONTINUE;

net/netfilter/nf_conntrack_core.c

+3 −0
Original line number Diff line number Diff line
@@ -838,6 +838,9 @@ __nf_conntrack_alloc(struct net *net, u16 zone, 
	/* Don't set timer yet: wait for confirmation */

	setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct);

	write_pnet(&ct->ct_net, net);

#if defined(CONFIG_IP_NF_TARGET_NATTYPE_MODULE)

	ct->nattype_entry = 0;

#endif

#ifdef CONFIG_NF_CONNTRACK_ZONES

	if (zone) {

		struct nf_conntrack_zone *nf_ct_zone;