From: Sergei Shtylyov <sergei.shtylyov@cogentembedded•com>
To: Zhouyi Zhou <zhouzhouyi@gmail•com>,
eric.dumazet@gmail•com, pablo@netfilter•org, kaber@trash•net,
kadlec@blackhole•kfki.hu, davem@davemloft•net,
netfilter-devel@vger•kernel.org, coreteam@netfilter•org,
netdev@vger•kernel.org, linux-kernel@vger•kernel.org,
fw@strlen•de, gnomes@lxorguk•ukuu.org.uk
Cc: Zhouyi Zhou <yizhouzhou@ict•ac.cn>
Subject: Re: [PATCH V5] netfilter: h323: avoid potential attack
Date: Tue, 2 Feb 2016 13:55:27 +0300 [thread overview]
Message-ID: <56B08B1F.9050406@cogentembedded.com> (raw)
In-Reply-To: <1454391454-22359-1-git-send-email-zhouzhouyi@gmail.com>
Hello.
On 2/2/2016 8:37 AM, Zhouyi Zhou wrote:
> I think hackers chould build a malicious h323 packet to overflow
> the pointer p which will panic during the memcpy(addr, p, len)
> For example, he may fabricate a very large taddr->ipAddress.ip.
>
> In order to avoid this, I add a valid memory reference check in
> get_h2x5_addr functions.
>
> As suggested by Eric, this module is protected by a lock (nf_h323_lock)
> so adding a variable h323_buffer_valid_bytes that would contain
> the number of valid bytes would not require to change prototypes of
> get_h2x5_addr.
>
> Signed-off-by: Zhouyi Zhou <yizhouzhou@ict•ac.cn>
>
> ---
> net/netfilter/nf_conntrack_h323_main.c | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
> index 9511af0..21665ec 100644
> --- a/net/netfilter/nf_conntrack_h323_main.c
> +++ b/net/netfilter/nf_conntrack_h323_main.c
> @@ -110,6 +110,25 @@ int (*nat_q931_hook) (struct sk_buff *skb,
>
> static DEFINE_SPINLOCK(nf_h323_lock);
> static char *h323_buffer;
> +static int h323_buffer_valid_bytes;
> +
> +static bool h323_buffer_ref_valid(void *p, int len)
> +{
> +
> + if ((unsigned long)len > h323_buffer_valid_bytes) {
> + return false;
> + }
{} not needed.
> +
> + if (p + len > (void *)h323_buffer + h323_buffer_valid_bytes) {
> + return false;
> + }
Likewise.
> +
> + if (p < (void *)h323_buffer) {
> + return false;
> + }
Likewise.
[...]
MBR, Sergei
prev parent reply other threads:[~2016-02-02 10:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-02 5:37 [PATCH V5] netfilter: h323: avoid potential attack Zhouyi Zhou
2016-02-02 10:55 ` Sergei Shtylyov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56B08B1F.9050406@cogentembedded.com \
--to=sergei.shtylyov@cogentembedded$(echo .)com \
--cc=coreteam@netfilter$(echo .)org \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=fw@strlen$(echo .)de \
--cc=gnomes@lxorguk$(echo .)ukuu.org.uk \
--cc=kaber@trash$(echo .)net \
--cc=kadlec@blackhole$(echo .)kfki.hu \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=netfilter-devel@vger$(echo .)kernel.org \
--cc=pablo@netfilter$(echo .)org \
--cc=yizhouzhou@ict$(echo .)ac.cn \
--cc=zhouzhouyi@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox