diff options
Diffstat (limited to 'netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch')
-rw-r--r-- | netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch | 65 |
1 files changed, 0 insertions, 65 deletions
diff --git a/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch b/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch deleted file mode 100644 index 003a30cd..00000000 --- a/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch +++ /dev/null @@ -1,65 +0,0 @@ -Bugzilla: 1077350 -Upstream-status: 3.14-rc1 - -From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <dborkman@redhat.com> -Date: Mon, 6 Jan 2014 00:57:54 +0100 -Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API - usages - -Some occurences in the netfilter tree use skb_header_pointer() in -the following way ... - - struct dccp_hdr _dh, *dh; - ... - skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); - -... where dh itself is a pointer that is being passed as the copy -buffer. Instead, we need to use &_dh as the forth argument so that -we're copying the data into an actual buffer that sits on the stack. - -Currently, we probably could overwrite memory on the stack (e.g. -with a possibly mal-formed DCCP packet), but unintentionally, as -we only want the buffer to be placed into _dh variable. - -Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") -Signed-off-by: Daniel Borkmann <dborkman@redhat.com> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c -index 3841268..cb372f9 100644 ---- a/net/netfilter/nf_conntrack_proto_dccp.c -+++ b/net/netfilter/nf_conntrack_proto_dccp.c -@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, - const char *msg; - u_int8_t state; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - BUG_ON(dh == NULL); - - state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; -@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, - u_int8_t type, old_state, new_state; - enum ct_dccp_roles role; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - BUG_ON(dh == NULL); - type = dh->dccph_type; - -@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, - unsigned int cscov; - const char *msg; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - if (dh == NULL) { - msg = "nf_ct_dccp: short packet "; - goto out_invalid; --- -1.8.5.3 - |