lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2011 18:49:10 +0800 From: Feng Gao <kernel.goter@...il.com> To: netdev@...r.kernel.org Subject: [PATCH] ip_fragment:kernel may panic when replay big packet with RST flag Hello everyone: PC(A)-linux(B)-PC(C) computer(linux B) with two net interface,eth0 and eth1. PC(A) send syn to PC(C) though linux B. then PC(C) replay a big packet with RST flag(use tcpsic or other tools). This RST packet(1480) come in from eth0(mtu 1500) and go out from eth1(mtu 700), so this RST packet should fragment. BUT in tcp_packet func: if the connection has no reply packet,and receive the RST packet.ip_conntrack should destroy. if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { /* If only reply is a RST, we can consider ourselves not to have an established connection: this is a fairly common problem case, so we can delete the conntrack immediately. --RR */ if (th->rst) { nf_ct_kill_acct(ct, ctinfo, skb); return NF_ACCEPT; } } BUT the skb->nfct is not set NULL in func nf_ct_kill_acct. so when this RST packet goto ip_fragment,ip_fragment call nf_copy, in __nf_copy func the fragment skb->nfct point to the destory mem. dst->nfct = src->nfct; nf_conntrack_get(src->nfct); SO finally.kfree_skb call destroy_conntrack again. this may result in LINUX B kernel panic. here is the patch,sorry ,i dont know how to use diff to generate patch. :-D /* This func for ip_fragment deal with RST packet */ static inline void nf_copy_rst(struct sk_buff *dst, const struct sk_buff *src) { #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) nf_conntrack_put(dst->nfct); nf_conntrack_put_reasm(dst->nfct_reasm); #endif #ifdef CONFIG_BRIDGE_NETFILTER nf_bridge_put(dst->nf_bridge); dst->nf_bridge = src->nf_bridge; nf_bridge_get(src->nf_bridge); #endif } static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) { to->pkt_type = from->pkt_type; to->priority = from->priority; to->protocol = from->protocol; dst_release(to->dst); to->dst = dst_clone(from->dst); to->dev = from->dev; to->mark = from->mark; /* Copy the flags to each fragment. */ IPCB(to)->flags = IPCB(from)->flags; #ifdef CONFIG_NET_SCHED to->tc_index = from->tc_index; #endif struct tcphdr *th = (struct tcphdr *)((char *)iph + (iph->ihl << 2)); if(iph->protocol == IPPROTO_TCP && th->rst){ /*RST packet*/ nf_copy_rst(to, from); }else{ /*Other packet*/ nf_copy(to, from); } #if defined(CONFIG_NETFILTER_XT_ TARGET_TRACE) || \ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) to->nf_trace = from->nf_trace; #endif #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) to->ipvs_property = from->ipvs_property; #endif skb_copy_secmark(to, from); } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists