From: Patrick McHardy Date: Mon, 14 Apr 2008 09:15:52 +0000 (+0200) Subject: [NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink X-Git-Tag: v2.6.26-rc1~1138^2~89^2~10 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=5f7da4d26d421f3bdf10c3bbdb86ffc3a12a84f2;p=linux-2.6-omap-h63xx.git [NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink Invalid states can cause out-of-bound memory accesses of the state table. Also don't insist on having a new state contained in the netlink message. Signed-off-by: Patrick McHardy --- diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 62567959b66..57831c75fa9 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -1129,11 +1129,13 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct) if (err < 0) return err; - if (!tb[CTA_PROTOINFO_TCP_STATE]) + if (tb[CTA_PROTOINFO_TCP_STATE] && + nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX) return -EINVAL; write_lock_bh(&tcp_lock); - ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]); + if (tb[CTA_PROTOINFO_TCP_STATE]) + ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]); if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) { struct nf_ct_tcp_flags *attr =