From 430723ece11b2eeed8ee55d97e82c3b4e26ca938 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 8 Oct 2009 17:26:36 +0200 Subject: [PATCH] ipp2p: try to address underflows Report by: Christian Blum "I have found that they panic in an interrupt within xt_ipp2p, function search_all_gnu(). It's a bounds checking problem; when I add this [a check for plen >= 65535] at the beginning [of the function] the servers run fine (very similar to find_all_kazaa())." --- doc/changelog.txt | 1 + extensions/xt_ipp2p.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/changelog.txt b/doc/changelog.txt index bc16ec9..db68ef7 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -3,6 +3,7 @@ HEAD ==== - build: compile fixes for 2.6.31-rt - build: support for Linux 2.6.32 +- ipp2p: try to address underflows - psd: avoid potential crash when dealing with non-linear skbs - merge xt_ACCOUNT userspace utilities diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c index c0a364d..7223e50 100644 --- a/extensions/xt_ipp2p.c +++ b/extensions/xt_ipp2p.c @@ -844,7 +844,13 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par) if (tcph->rst) return 0; /* if RST bit is set bail out */ haystack += tcph->doff * 4; /* get TCP-Header-Size */ - hlen -= tcph->doff * 4; + if (tcph->doff * 4 > hlen) { + if (info->debug) + pr_info("TCP header indicated packet larger than it is\n"); + hlen = 0; + } else { + hlen -= tcph->doff * 4; + } while (matchlist[i].command) { if ((info->cmd & matchlist[i].command) == matchlist[i].command && hlen > matchlist[i].packet_len)