anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-08 21:54:57 +02:00
Code Issues Releases Wiki Activity

ipp2p: try to address underflows

Browse Source 
Report by: Christian Blum <chrblum@users.sourceforge.net>

"I have found that they panic in an interrupt within xt_ipp2p, function
search_all_gnu(). It's a bounds checking problem; when I add this [a
check for plen >= 65535] at the beginning [of the function] the
servers run fine (very similar to find_all_kazaa())."
This commit is contained in:
Jan Engelhardt
2009-10-08 17:26:36 +02:00
parent 379e685b0f
commit 430723ece1
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
doc/changelog.txt
View File

@@ -3,6 +3,7 @@ HEAD
==== ====
- build: compile fixes for 2.6.31-rt - build: compile fixes for 2.6.31-rt
- build: support for Linux 2.6.32 - build: support for Linux 2.6.32
- ipp2p: try to address underflows
- psd: avoid potential crash when dealing with non-linear skbs - psd: avoid potential crash when dealing with non-linear skbs
- merge xt_ACCOUNT userspace utilities - merge xt_ACCOUNT userspace utilities

8
extensions/xt_ipp2p.c
View File

@@ -844,7 +844,13 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (tcph->rst) return 0; /* if RST bit is set bail out */ if (tcph->rst) return 0; /* if RST bit is set bail out */
haystack += tcph->doff * 4; /* get TCP-Header-Size */ haystack += tcph->doff * 4; /* get TCP-Header-Size */
hlen -= tcph->doff * 4; if (tcph->doff * 4 > hlen) {
if (info->debug)
pr_info("TCP header indicated packet larger than it is\n");
hlen = 0;
} else {
hlen -= tcph->doff * 4;
}
while (matchlist[i].command) { while (matchlist[i].command) {
if ((info->cmd & matchlist[i].command) == matchlist[i].command && if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
hlen > matchlist[i].packet_len) hlen > matchlist[i].packet_len)