netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type

from [Yasuyuki Kozakai] [Permanent Link][Original]
To: okir@xxxxxxx
Subject: Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type
From: Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx>
Date: Thu, 30 Sep 2004 21:39:09 +0900 (JST)
Cc: netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20040930121620.GH19083@suse.de>
References: <20040930121620.GH19083@suse.de>
Sender: netdev-bounce@xxxxxxxxxxx 
Thanks. and maybe current kernel has same problem in ip6t_multiport.c, too.
But I already sent a patch which fixes this problem to this ml.

See

https://lists.netfilter.org/pipermail/netfilter-devel/2004-September/016783.html

and 

https://lists.netfilter.org/pipermail/netfilter-devel/2004-September/016851.html

Regards,

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@xxxxxxxxxxxxx>


From: Olaf Kirch <okir@xxxxxxx>
Date: Thu, 30 Sep 2004 14:16:20 +0200

> 
> This patch fixes a bug in the ip6_tables code when matching ICMP type and
> code within ICMPv6 packets. The icmpv6 packet matcher expects the nexthdr
> to be ICMPv6 and does not deal with hop-by-hop headers etc.
> 
> Signed-off-by: Olaf Kirch <okir@xxxxxxx>
> 
> Index: linux-2.6.8.nf/net/ipv6/netfilter/ip6_tables.c
> ===================================================================
> --- linux-2.6.8.nf.orig/net/ipv6/netfilter/ip6_tables.c       2004-08-26 
> 13:22:35.000000000 +0200
> +++ linux-2.6.8.nf/net/ipv6/netfilter/ip6_tables.c    2004-09-30 
> 14:07:51.000000000 +0200
> @@ -1751,10 +1751,23 @@
>          u_int16_t datalen,
>          int *hotdrop)
>  {
> -     const struct icmp6hdr *icmp = hdr;
> +     struct icmp6hdr icmph;
>       const struct ip6t_icmp *icmpinfo = matchinfo;
> +     int hdroff;
> +     u8 nexthdr = skb->nh.ipv6h->nexthdr;
>  
> -     if (offset == 0 && datalen < 2) {
> +     /* Must not be a fragment. */
> +     if (offset)
> +             return 0;
> +
> +     hdroff = (u8*)(skb->nh.ipv6h+1) - skb->data;
> +     hdroff = ipv6_skip_exthdr(skb, hdroff, &nexthdr, skb->len - hdroff);
> +     if (hdroff < 0 || hdroff > skb->len || nexthdr != IPPROTO_ICMPV6) {
> +             *hotdrop = 1;
> +             return 0;
> +     }
> +
> +     if (skb_copy_bits(skb, hdroff, &icmph, sizeof(icmph)) < 0) {
>               /* We've been asked to examine this packet, and we
>                  can't.  Hence, no choice but to drop. */
>               duprintf("Dropping evil ICMP tinygram.\n");
> @@ -1763,11 +1776,10 @@
>       }
>  
>       /* Must not be a fragment. */
> -     return !offset
> -             && icmp6_type_code_match(icmpinfo->type,
> +     return icmp6_type_code_match(icmpinfo->type,
>                                       icmpinfo->code[0],
>                                       icmpinfo->code[1],
> -                                     icmp->icmp6_type, icmp->icmp6_code,
> +                                     icmph.icmp6_type, icmph.icmp6_code,
>                                       !!(icmpinfo->invflags&IP6T_ICMP_INV));
>  }
>  
> -- 
> Olaf Kirch     | Things that make Monday morning interesting, #1:
> okir@xxxxxxx   |        "I want to use NFS over AX25, can you help me?"
> ---------------+ 
> 
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type, YOSHIFUJI Hideaki / 吉藤英明
Next by Date:  Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type, Yasuyuki Kozakai
Previous by Thread:  Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type, YOSHIFUJI Hideaki / 吉藤英明
Next by Thread:  Re: [PATCH] netfilter6: Skip extension headers when matching icmp6-type, Yasuyuki Kozakai
Indexes:  [Date] [Thread] [Top] [All Lists]