All of lore.kernel.org
 help / color / mirror / Atom feed
* [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)
@ 2003-08-02 14:34 Netfilter Core Team
  2003-08-02 17:03 ` [vendor-sec] " Matt Zimmerman
  0 siblings, 1 reply; 2+ messages in thread
From: Netfilter Core Team @ 2003-08-02 14:34 UTC (permalink / raw)
  To: Netfilter Announcement List, Netfilter Mailinglist,
	Netfilter Development Mailinglist
  Cc: vendor-sec, bugtraq, lwn

[-- Attachment #1: Type: text/plain, Size: 3933 bytes --]

                  Netfilter Core Team Security Advisory
                  
                           CVE: CAN-2003-0467

Subject:

  Netfilter / NAT Remote DoS

Released:

  01 Aug 2003

Effects:

  Under limited circumstances, a remote user may be able to crash a
  machine doing Network Address Translation (NAT).

Estimated Severity:

  Medium.

Systems Affected:

  Linux 2.4.20 kernels and recent 2.5 kernels with
  CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the
  ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users
  are not packet filtered out.

Solution:

  BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below.

  OR: As a workaround, the modules can be removed, or iptables can
  be used to block untrusted users from initiating ftp or irc
  connections through the NAT machine.

Details:

  This was verified by Rusty Russell on 2.4.20, and verified fixed
  with this patch.

Vendor Statement:

  Red Hat: All of the 2.4.20-based kernels shipped by Red Hat already
           contain the patch and are not vulnerable to this issue.
  Others:  unknown

Credits:
  The problem was found, and the fix implemented by the Netfilter Core Team.

Contact:
  coreteam@netfilter.org

diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c	2003-04-06 15:26:48.000000000 +1000
+++ working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c	2003-04-14 23:18:38.000000000 +1000
@@ -366,54 +365,49 @@ sack_adjust(struct tcphdr *tcph, 
 }
 			
 
-/* TCP SACK sequence number adjustment, return 0 if sack found and adjusted */
-static inline int
+/* TCP SACK sequence number adjustment. */
+static inline void
 ip_nat_sack_adjust(struct sk_buff *skb,
-			struct ip_conntrack *ct,
-			enum ip_conntrack_info ctinfo)
+		   struct ip_conntrack *ct,
+		   enum ip_conntrack_info ctinfo)
 {
-	struct iphdr *iph;
 	struct tcphdr *tcph;
-	unsigned char *ptr;
-	int length, dir, sack_adjusted = 0;
+	unsigned char *ptr, *optend;
+	unsigned int dir;
 
-	iph = skb->nh.iph;
-	tcph = (void *)iph + iph->ihl*4;
-	length = (tcph->doff*4)-sizeof(struct tcphdr);
+	tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
+	optend = (unsigned char *)tcph + tcph->doff*4;
 	ptr = (unsigned char *)(tcph+1);
 
 	dir = CTINFO2DIR(ctinfo);
 
-	while (length > 0) {
-		int opcode = *ptr++;
+	while (ptr < optend) {
+		int opcode = ptr[0];
 		int opsize;
 
 		switch (opcode) {
 		case TCPOPT_EOL:
-			return !sack_adjusted;
+			return;
 		case TCPOPT_NOP:
-			length--;
+			ptr++;
 			continue;
 		default:
-			opsize = *ptr++;
-			if (opsize > length) /* no partial opts */
-				return !sack_adjusted;
+			opsize = ptr[1];
+			 /* no partial opts */
+			if (ptr + opsize > optend || opsize < 2)
+				return;
 			if (opcode == TCPOPT_SACK) {
 				/* found SACK */
 				if((opsize >= (TCPOLEN_SACK_BASE
 					       +TCPOLEN_SACK_PERBLOCK)) &&
 				   !((opsize - TCPOLEN_SACK_BASE)
 				     % TCPOLEN_SACK_PERBLOCK))
-					sack_adjust(tcph, ptr-2,
+					sack_adjust(tcph, ptr,
 						    &ct->nat.info.seq[!dir]);
-				
-				sack_adjusted = 1;
 			}
-			ptr += opsize-2;
-			length -= opsize;
+			ptr += opsize;
 		}
 	}
-	return !sack_adjusted;
 }
 
 /* TCP sequence number adjustment */

--
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [vendor-sec] [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)
  2003-08-02 14:34 [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) Netfilter Core Team
@ 2003-08-02 17:03 ` Matt Zimmerman
  0 siblings, 0 replies; 2+ messages in thread
From: Matt Zimmerman @ 2003-08-02 17:03 UTC (permalink / raw)
  To: Netfilter Development Mailinglist

On Sat, Aug 02, 2003 at 04:34:17PM +0200, Netfilter Core Team wrote:

> Systems Affected:
> 
>   Linux 2.4.20 kernels and recent 2.5 kernels with
>   CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the
>   ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users
>   are not packet filtered out.

The other advisory contained an explicit statement about kernels other than
the ones mentioned, but this one did not.  So, just to clarify, am I correct
in inferring that pre-2.4.20 kernels are NOT affected by this bug?



-- 
 - mdz

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-08-02 17:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-08-02 14:34 [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) Netfilter Core Team
2003-08-02 17:03 ` [vendor-sec] " Matt Zimmerman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.