Re: Bug in Linux 2.4 / iptables MAC match module

To:	Chris Wilson <chris@xxxxxxxxxxxxxxxx>
Subject:	Re: Bug in Linux 2.4 / iptables MAC match module
From:	Harald Welte <laforge@xxxxxxxxxxxx>
Date:	Tue, 2 Oct 2001 19:57:28 +0200
Cc:	Rusty Russell <rusty@xxxxxxxxxxxxxxx>, Marc Boucher <marc@xxxxxxx>, James Morris <jmorris@xxxxxxxxxxxxxxxx>, Netfilter Development Mailinglist <netfilter-devel@xxxxxxxxxxxxxxx>
In-reply-to:	<Pine.LNX.4.33.0109251901460.5690-100000@localhost>; from chris@netservers.co.uk on Tue, Sep 25, 2001 at 07:03:45PM +0100
Mail-followup-to:	Harald Welte <laforge@xxxxxxxxxxxx>, Chris Wilson <chris@xxxxxxxxxxxxxxxx>, Rusty Russell <rusty@xxxxxxxxxxxxxxx>, Marc Boucher <marc@xxxxxxx>, James Morris <jmorris@xxxxxxxxxxxxxxxx>, Netfilter Development Mailinglist <netfilter-devel@xxxxxxxxxxxxxxx>
References:	<Pine.LNX.4.33.0109251901460.5690-100000@localhost>
User-agent:	Mutt/1.3.17i

On Tue, Sep 25, 2001 at 07:03:45PM +0100, Chris Wilson wrote:

> Please could you let us know as soon as you have some information
> regarding this bug. We very much hope to hear from you before Wednesday
> 3rd October 2001. If not then we shall be forced, reluctantly, to publish
> this advisory.

ok. There is news about this now. 

As far as I understood the problem, the problematic piece of code was:

    /* Is mac pointer valid? */
    return (skb->mac.raw >= skb->head
            && skb->mac.raw < skb->head + skb->len - ETH_HLEN
            /* If so, compare... */
            && ((memcmp(skb->mac.ethernet->h_source, info->srcaddr, ETH_ALEN)
                == 0) ^ info->invert));

skb->head       points to first byte of the layer 2 packet
skb->mac.raw    points to first byte of destination mac address
skb->data       points to first byte of layer 3 packet (== ip header)
skb->len        length of layer three packet (layer 2 payload) in bytes
ETH_HLEN        length of layer 2 header (14 bytes, 2*6byte mac + 2byte l3prot)

The first check checks, if the pointer to the beginning of the mac address
is greater or equal than the skb->head. That's ok.

The second check, however does something strange.  It checks if the pointer to
the beginning of the mac address (first byte of destination mac) is smaller
than skb->head + skb->len - ETH_HLEN.  This doesn't seem to make sense to me.

I guess the intention was to check if the whole mac address fits within the
skb's valid data area.  But this is not what was done.

skb->head + skb->len does not point to the end of the packet,
skb->data + skb->len would do.  The original calculation "head + len" leads to
the assumption the packet is shorter than it really is (by "skb->data - 
skb->head" bytes short).

I think it's better to check if skb->mac.raw + ETH_HLEN <= skb->data. This is
what attached patch does.

Could you please verify that your problem is gone with attached patch?

Thanks.

> Chris Wilson, NetServers lead developer.

-- 
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

pgpmkSlHQtOyt.pgp
Description: PGP signature

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Bug in Linux 2.4 / iptables MAC match module, Harald Welte <=

Previous by Date:	Re: [announce] [patch] limiting IRQ load, irq-rewrite-2.4.11-B5, jamal
Next by Date:	netdevice ->tbusy and qdisc_wakeup function, Amit Kulkarni
Previous by Thread:	URLWatch Notice for www.linux.org, URLWatch
Next by Thread:	netdevice ->tbusy and qdisc_wakeup function, Amit Kulkarni
Indexes:	[Date] [Thread] [Top] [All Lists]