Hi Dave! This is the 3rd of a set of bugfixes (all tested against 2.4.22-pre7). You might need to apply them incrementally (didn't test it in a different order). You will receive 2.6 merges of those patches soon. Author: Harald Welte This patch fixes a bug in the IRC DCC command parser of ip_conntrack_irc Please apply, --- linux/net/ipv4/netfilter/ip_conntrack_irc.c.orig Wed May 7 12:13:55 2003 +++ linux/net/ipv4/netfilter/ip_conntrack_irc.c Wed May 7 13:16:00 2003 @@ -59,7 +59,7 @@ {"TSEND ", 6}, {"SCHAT ", 6} }; -#define MAXMATCHLEN 6 +#define MINMATCHLEN 5 DECLARE_LOCK(ip_irc_lock); struct module *ip_conntrack_irc = THIS_MODULE; @@ -92,9 +92,11 @@ *ip = simple_strtoul(data, &data, 10); /* skip blanks between ip and port */ - while (*data == ' ') + while (*data == ' ') { + if (data >= data_end) + return -1; data++; - + } *port = simple_strtoul(data, &data, 10); *ad_end_p = data; @@ -153,13 +155,17 @@ } data_limit = (char *) data + datalen; - while (data < (data_limit - (22 + MAXMATCHLEN))) { + + /* strlen("\1DCC SEND t AAAAAAAA P\1\n")=24 + * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ + while (data < (data_limit - (19 + MINMATCHLEN))) { if (memcmp(data, "\1DCC ", 5)) { data++; continue; } data += 5; + /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n", NIPQUAD(iph->saddr), ntohs(tcph->source), @@ -174,6 +180,9 @@ DEBUGP("DCC %s detected\n", dccprotos[i].match); data += dccprotos[i].matchlen; + /* we have at least + * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid + * data left (== 14/13 bytes) */ if (parse_dcc((char *) data, data_limit, &dcc_ip, &dcc_port, &addr_beg_p, &addr_end_p)) { /* unable to parse */ -- - Harald Welte http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie