From: Jan Engelhardt Date: Thu, 8 Oct 2009 15:26:36 +0000 (+0200) Subject: ipp2p: try to address underflows X-Git-Tag: v1.19~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=430723ece11b2eeed8ee55d97e82c3b4e26ca938;p=thirdparty%2Fxtables-addons.git ipp2p: try to address underflows Report by: Christian Blum "I have found that they panic in an interrupt within xt_ipp2p, function search_all_gnu(). It's a bounds checking problem; when I add this [a check for plen >= 65535] at the beginning [of the function] the servers run fine (very similar to find_all_kazaa())." --- diff --git a/doc/changelog.txt b/doc/changelog.txt index bc16ec9..db68ef7 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -3,6 +3,7 @@ HEAD ==== - build: compile fixes for 2.6.31-rt - build: support for Linux 2.6.32 +- ipp2p: try to address underflows - psd: avoid potential crash when dealing with non-linear skbs - merge xt_ACCOUNT userspace utilities diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c index c0a364d..7223e50 100644 --- a/extensions/xt_ipp2p.c +++ b/extensions/xt_ipp2p.c @@ -844,7 +844,13 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par) if (tcph->rst) return 0; /* if RST bit is set bail out */ haystack += tcph->doff * 4; /* get TCP-Header-Size */ - hlen -= tcph->doff * 4; + if (tcph->doff * 4 > hlen) { + if (info->debug) + pr_info("TCP header indicated packet larger than it is\n"); + hlen = 0; + } else { + hlen -= tcph->doff * 4; + } while (matchlist[i].command) { if ((info->cmd & matchlist[i].command) == matchlist[i].command && hlen > matchlist[i].packet_len)