[PATCH] Fix possible oops in ipt_REDIRECT

[PATCH] Fix possible oops in ipt_REDIRECT

[Bart De Schuymer]

Hi Dave,

When a device doesn't have an IP address, as in ifconfig eth0 0.0.0.0, then
dev->ip_ptr->ifa_list == NULL.
It is then possible to craft a packet that oopses the kernel:
Suppose eth0 on box 1 was brought up with ifconfig eth0 0.0.0.0
Suppose the iptabes nat table on box 1 contains one rule:
box1# iptables -t nat -A PREROUTING -j REDIRECT

Use box 2, connected to box1 via box1's eth0 to oops the kernel:
box2# arp -s 192.168.123.166 $MAC_OF_ETH0_OF_BOX1
box2# ping 192.168.123.166
Oops on box 1.
(Change 192.168.123.166 into an IP address of the local network)

cheers,
Bart

--- linux-2.4.22/net/ipv4/netfilter/ipt_REDIRECT.c.old	2003-10-20 23:10:02.000000000 +0200
+++ linux-2.4.22/net/ipv4/netfilter/ipt_REDIRECT.c	2003-10-20 23:10:18.000000000 +0200
@@ -79,7 +79,7 @@ redirect_target(struct sk_buff **pskb,
 
 		/* Device might not have an associated in_device. */
 		indev = (struct in_device *)(*pskb)->dev->ip_ptr;
-		if (indev == NULL)
+		if (indev == NULL || indev->ifa_list == NULL)
 			return NF_DROP;
 
 		/* Grab first address on interface. */

--- linux-2.6.0-test8/net/ipv4/netfilter/ipt_REDIRECT.c.old	2003-10-20 22:30:53.000000000 +0200
+++ linux-2.6.0-test8/net/ipv4/netfilter/ipt_REDIRECT.c	2003-10-20 22:31:31.000000000 +0200
@@ -83,7 +83,7 @@ redirect_target(struct sk_buff **pskb,
 
 		/* Device might not have an associated in_device. */
 		indev = (struct in_device *)(*pskb)->dev->ip_ptr;
-		if (indev == NULL)
+		if (indev == NULL || indev->ifa_list == NULL)
 			return NF_DROP;
 
 		/* Grab first address on interface. */

Re: [PATCH] Fix possible oops in ipt_REDIRECT

[David S. Miller]

On Sat, 25 Oct 2003 17:28:56 +0200
Bart De Schuymer <bdschuym@pandora.be> wrote:

> When a device doesn't have an IP address, as in ifconfig eth0 0.0.0.0, then
> dev->ip_ptr->ifa_list == NULL.

Indeed, fix looks good to me.

Applied, thanks Bart.

[PATCH] Fix possible oops in ipt_REDIRECT

[Bart De Schuymer]

Hi Harald,

When a device doesn't have an IP address, as in ifconfig eth0 0.0.0.0, then
dev->ip_ptr->indev == NULL.
It is possible to craft a packet that oopses the kernel:
Suppose eth0 on box 1 was brought up with ifconfig eth0 0.0.0.0
Suppose the iptabes nat table on box 1 contains one rule: -j REDIRECT
Use box 2, connected to box1 via box1's eth0 to oops the kernel:
box2# arp 192.168.123.166 $MAC_OF_ETH0
box2# ping 192.168.123.166
Oops.

By the way, what are your plans with the fix for ip_queue I sent you
on this list?

Bart

--- linux-2.6.0-test8/net/ipv4/netfilter/ipt_REDIRECT.c.old	2003-10-20 22:30:53.000000000 +0200
+++ linux-2.6.0-test8/net/ipv4/netfilter/ipt_REDIRECT.c	2003-10-20 22:31:31.000000000 +0200
@@ -83,7 +83,7 @@ redirect_target(struct sk_buff **pskb,
 
 		/* Device might not have an associated in_device. */
 		indev = (struct in_device *)(*pskb)->dev->ip_ptr;
-		if (indev == NULL)
+		if (indev == NULL || indev->ifa_list == NULL)
 			return NF_DROP;
 
 		/* Grab first address on interface. */

--- linux-2.4.22/net/ipv4/netfilter/ipt_REDIRECT.c.old	2003-10-20 23:10:02.000000000 +0200
+++ linux-2.4.22/net/ipv4/netfilter/ipt_REDIRECT.c	2003-10-20 23:10:18.000000000 +0200
@@ -79,7 +79,7 @@ redirect_target(struct sk_buff **pskb,
 
 		/* Device might not have an associated in_device. */
 		indev = (struct in_device *)(*pskb)->dev->ip_ptr;
-		if (indev == NULL)
+		if (indev == NULL || indev->ifa_list == NULL)
 			return NF_DROP;
 
 		/* Grab first address on interface. */