| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2015 12:08:48 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: Ian Wilson <iwilson@...cade.com> Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() On Thu, Mar 12, 2015 at 09:37:58AM +0000, Ian Wilson wrote: > nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(), > nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass > a pointer to an nf_conntrack_tuple data structure local variable: > > struct nf_conntrack_tuple tuple; > ... > ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]); > > The problem is that this local variable is not initialized, and > nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and > dst.protonum. This leaves all other fields with undefined values > based on whatever is on the stack: > > tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM])); > tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]); > > The symptom observed was that when the rpc and tns helpers were added > then traffic to port 1536 was being sent to user-space. Applied, thanks. I'll pass this to -stable too. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists