From 22db3bcb9ced4ce1b59d4fec45614ef318ffbd80 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 26 Nov 2008 00:36:45 +0100
Subject: [PATCH 1/3] ipp2p: kazaa code cleanup

---
 extensions/xt_ipp2p.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 5ea367c..5f25582 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -600,24 +600,28 @@ search_all_gnu(const unsigned char *payload, const unsigned int plen)
 static unsigned int
 search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 {
-	if (payload[plen-2] == 0x0d && payload[plen-1] == 0x0a) {
-		if (memcmp(payload, "GIVE ", 5) == 0)
-			return IPP2P_KAZAA * 100 + 1;
+	if (payload[plen-2] != 0x0d || payload[plen-1] != 0x0a)
+		return 0;
 
-		if (memcmp(payload, "GET /", 5) == 0) {
-			uint16_t c = 8;
-			const uint16_t end = plen - 22;
+	if (memcmp(payload, "GIVE ", 5) == 0)
+		return IPP2P_KAZAA * 100 + 1;
 
-			while (c < end) {
-				if (payload[c] == 0x0a &&
-				    payload[c+1] == 0x0d &&
-				    (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0 ||
-				    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0))
-					return IPP2P_KAZAA * 100 + 2;
-				c++;
-			}
+	if (memcmp(payload, "GET /", 5) == 0) {
+		uint16_t c = 8;
+		const uint16_t end = plen - 22;
+
+		for (c = 8; c < end; ++c) {
+			if (payload[c] != 0x0a)
+				continue;
+			if (payload[c+1] != 0x0d)
+				continue;
+			if (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
+				return IPP2P_KAZAA * 100 + 2;
+			if (memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0)
+				return IPP2P_KAZAA * 100 + 2;
 		}
 	}
+
 	return 0;
 }
 

From ee968691d758dbff145c4d237fc52c10683225f5 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 26 Nov 2008 00:47:36 +0100
Subject: [PATCH 2/3] ipp2p: fix newline inspection in kazaa

LFCR looks suspect, it should most likely be CRLF.
---
 extensions/xt_ipp2p.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 5f25582..806eb04 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -611,9 +611,9 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 		const uint16_t end = plen - 22;
 
 		for (c = 8; c < end; ++c) {
-			if (payload[c] != 0x0a)
+			if (payload[c] != 0x0d)
 				continue;
-			if (payload[c+1] != 0x0d)
+			if (payload[c+1] != 0x0a)
 				continue;
 			if (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
 				return IPP2P_KAZAA * 100 + 2;

From d01a5f3d17212f67357572609c9b473749af8f62 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 10 Dec 2008 16:28:23 +0100
Subject: [PATCH 3/3] ipp2p: ensure better array bounds checking

---
 extensions/xt_ipp2p.c | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 806eb04..9c407ea 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -597,29 +597,40 @@ search_all_gnu(const unsigned char *payload, const unsigned int plen)
 }
 
 /* check for KaZaA download commands and other typical data */
+/* plen is guaranteed to be >= 5 (see @matchlist) */
 static unsigned int
 search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 {
+	uint16_t c, end, rem;
+
+	if (plen >= 5) {
+		printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) < 5\n",
+		       __func__, plen);
+		return 0;
+	}
+
 	if (payload[plen-2] != 0x0d || payload[plen-1] != 0x0a)
 		return 0;
 
 	if (memcmp(payload, "GIVE ", 5) == 0)
 		return IPP2P_KAZAA * 100 + 1;
 
-	if (memcmp(payload, "GET /", 5) == 0) {
-		uint16_t c = 8;
-		const uint16_t end = plen - 22;
+	if (memcmp(payload, "GET /", 5) != 0)
+		return 0;
 
-		for (c = 8; c < end; ++c) {
-			if (payload[c] != 0x0d)
-				continue;
-			if (payload[c+1] != 0x0a)
-				continue;
-			if (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
-				return IPP2P_KAZAA * 100 + 2;
-			if (memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0)
-				return IPP2P_KAZAA * 100 + 2;
-		}
+	end = plen - 18;
+	rem = plen - 5;
+	for (c = 5; c < end; ++c, --rem) {
+		if (payload[c] != 0x0d)
+			continue;
+		if (payload[c+1] != 0x0a)
+			continue;
+		if (rem >= 18 &&
+		    memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
+			return IPP2P_KAZAA * 100 + 2;
+		if (rem >= 24 &&
+		    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0)
+			return IPP2P_KAZAA * 100 + 2;
 	}
 
 	return 0;