ipp2p: try to address underflows

Report by: Christian Blum <chrblum@users.sourceforge.net>

"I have found that they panic in an interrupt within xt_ipp2p, function
search_all_gnu(). It's a bounds checking problem; when I add this [a
check for plen >= 65535] at the beginning [of the function] the
servers run fine (very similar to find_all_kazaa())."

diff --git a/doc/changelog.txt b/doc/changelog.txt
index bc16ec9312ad2843d03f6ec38953379c7e95d708..db68ef779397b250979e9bb6742e23fdeba9947d 100644 (file)
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -3,6 +3,7 @@ HEAD
 ====
 - build: compile fixes for 2.6.31-rt
 - build: support for Linux 2.6.32
+- ipp2p: try to address underflows
 - psd: avoid potential crash when dealing with non-linear skbs
 - merge xt_ACCOUNT userspace utilities
 

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index c0a364d0c3fd0b118ee2a44b3085beb7756a22d1..7223e5063fe857b5b5cc7eefd03631a8ed026afb 100644 (file)
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -844,7 +844,13 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                if (tcph->rst) return 0;  /* if RST bit is set bail out */
 
                haystack += tcph->doff * 4; /* get TCP-Header-Size */
-               hlen -= tcph->doff * 4;
+               if (tcph->doff * 4 > hlen) {
+                       if (info->debug)
+                               pr_info("TCP header indicated packet larger than it is\n");
+                       hlen = 0;
+               } else {
+                       hlen -= tcph->doff * 4;
+               }
                while (matchlist[i].command) {
                        if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
                            hlen > matchlist[i].packet_len)