git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Tue, 3 Apr 2012 20:02:01 +0000 (22:02 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Mon, 10 Jun 2013 09:43:38 +0000 (11:43 +0200)
commit	df7753cfd9be4b4fca56b38eb30375d20d3dda4f
tree	ff3cfeed76bfb1818be94f171691fce71f3ed6d4	tree
parent	c023a0b45bb91bce7bf3300518592f07fcd35244	commit \| diff

netfilter: nf_ct_ipv4: packets with wrong ihl are invalid

commit 07153c6ec074257ade76a461429b567cff2b3a1e upstream.

It was reported that the Linux kernel sometimes logs:

klogd: [2629147.402413] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 447!
klogd: [1072212.887368] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 392

ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in
nf_conntrack_proto_tcp.c should catch malformed packets, so the errors
at the indicated lines - TCP options parsing - should not happen.
However, tcp_error() relies on the "dataoff" offset to the TCP header,
calculated by ipv4_get_l4proto(). But ipv4_get_l4proto() does not check
bogus ihl values in IPv4 packets, which then can slip through tcp_error()
and get caught at the TCP options parsing routines.

The patch fixes ipv4_get_l4proto() by invalidating packets with bogus
ihl value.

The patch closes netfilter bugzilla id 771.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>