Re: ERRATA Re: [PATCH] fix for netfilter/nat/pppoe crashes (hopefully)

[Harald Welte <laforge@xxxxxxxxxxxx>]

On Thu, Aug 02, 2001 at 04:00:24PM +1000, Rusty Russell wrote:

> And this is the killer: line 385 (it's redundant: we check this inside
> get_tuple anyway):
> 
>       /* Are they talking about one of our connections? */
>       if (inner->ihl * 4 + 8 > datalen
>           || !get_tuple(inner, datalen, &origtuple, innerproto)) {
> 
> So, we will always have 8 protocol bytes in the inner packet.  This is
> enough to contain the source and destinations ports (TCP/UDP) or ICMP
> id, so we're not writing over the end of the packet...

Well, Rusty, I have to agree with Marc. 

Look at ip_nat_proto_tcp.c:tcp_mainp_pkt(). It just assumes that we have 
a tcp header with up to 18 bytes in length, as it overwrites the TCP
header's checksum.

> Please find them and hit them hard...

well... next time I am in .au ;)

> Rusty.

-- 
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)