lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Mar 2016 14:41:29 +0800 (GMT+08:00) From: "Zhouyi Zhou" <yizhouzhou@....ac.cn> To: "Pablo Neira Ayuso" <pablo@...filter.org> Cc: "Zhouyi Zhou" <zhouzhouyi@...il.com>, eric.dumazet@...il.com, kaber@...sh.net, kadlec@...ckhole.kfki.hu, davem@...emloft.net, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, fw@...len.de, gnomes@...rguk.ukuu.org.uk, sergei.shtylyov@...entembedded.com Subject: Re: Re: [PATCH V7] netfilter: h323: avoid potential attack Thanks Pablo for reviewing > From: "Pablo Neira Ayuso" <pablo@...filter.org> > Sent Time: Saturday, March 12, 2016 > To: "Zhouyi Zhou" <zhouzhouyi@...il.com> > On Sun, Feb 21, 2016 at 12:03:59AM +0800, Zhouyi Zhou wrote: > > I think hackers chould build a malicious h323 packet to overflow (iph->ihl * 4 + th->doff * 4); > You cannot trust the information that is available in the header. If > this is bogus this check will be defeated. That's why we pass this > protoff parameters to each function. The length of IP header is checked in the function nf_conntrack_in which calls get_l4proto hook to detect bogus ip header. There is no where in the call stack to the function set_addr to check bogus TCP header, and my code does the job: + th = (void *)iph + iph->ihl * 4; + datalen = skb->len - (iph->ihl * 4 + th->doff * 4); + /* check offset overflow */ + if (addroff > datalen) + return -1; if th->doff be too big addroff will greater than datalen. > > You also refer to get_h225_addr() in your description. That function > always copies 4 or 16 bytes, so I would appreciate if you can describe > the possible issue further. The problem of get_h225_addr lies in bogus taddr->ipAddress.ip, if this value is too big, it may make the pointer p point to no exist address. (gdb) list 686 681 struct h323_ct_state *ctstate) 682 { 683 const unsigned char *p; 684 int len; 685 686 switch (taddr->choice) { 687 case eTransportAddress_ipAddress: 688 if (nf_ct_l3num(ct) != AF_INET) 689 return 0; 690 p = data + taddr->ipAddress.ip; Thanks for your time and effort Cheers Zhouyi
Powered by blists - more mailing lists