* [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes'
@ 2001-07-14 22:00 J Troy Piper
2001-07-14 22:50 ` Josh McKinney
2001-07-16 10:28 ` Rusty Russell
0 siblings, 2 replies; 4+ messages in thread
From: J Troy Piper @ 2001-07-14 22:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Alan Cox, rusty
[-- Attachment #0: Type: message/rfc822, Size: 1011 bytes --]
Alan,
I apologise for having taken so long to write this (I have known about
this problem since 2.4.5ac17 and have not had a chance to document til
today) but there seems to be a problem with the ipt_unclean fixes by Rusty
Russell. ANY incoming packets from any interface (ppp0 and eth0) are
marked as 'unclean' with some variation on the following syslog entry:
Jul 8 23:16:04 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
Jul 8 23:16:05 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
Jul 8 23:16:16 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
Jul 8 23:16:18 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
and thus are blocked by my 'unclean packet dropping' firewall (iptables).
I haven't seen any mention of this on the list, nor have I seen any more
ipt_unclean patches to address this problem, so here's your heads-up
(albeit a bit late).
Thanks,
J Troy Piper
jtp@dok.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes'
2001-07-14 22:00 [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes' J Troy Piper
@ 2001-07-14 22:50 ` Josh McKinney
2001-07-16 10:28 ` Rusty Russell
1 sibling, 0 replies; 4+ messages in thread
From: Josh McKinney @ 2001-07-14 22:50 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1439 bytes --]
Me too.
On approximately Sat, Jul 14, 2001 at 05:00:21PM -0500, J Troy Piper wrote:
>
> > 2.4.5-ac17
> > o First set of ipt_unclean fixes (Rusty Russell)
>
> Alan,
>
> I apologise for having taken so long to write this (I have known about
> this problem since 2.4.5ac17 and have not had a chance to document til
> today) but there seems to be a problem with the ipt_unclean fixes by Rusty
> Russell. ANY incoming packets from any interface (ppp0 and eth0) are
> marked as 'unclean' with some variation on the following syslog entry:
>
> Jul 8 23:16:04 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
> Jul 8 23:16:05 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
> Jul 8 23:16:16 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
> Jul 8 23:16:18 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
>
> and thus are blocked by my 'unclean packet dropping' firewall (iptables).
>
> I haven't seen any mention of this on the list, nor have I seen any more
> ipt_unclean patches to address this problem, so here's your heads-up
> (albeit a bit late).
>
> Thanks,
>
> J Troy Piper
> jtp@dok.org
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes'
2001-07-14 22:00 [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes' J Troy Piper
2001-07-14 22:50 ` Josh McKinney
@ 2001-07-16 10:28 ` Rusty Russell
2001-07-16 22:09 ` J Troy Piper
1 sibling, 1 reply; 4+ messages in thread
From: Rusty Russell @ 2001-07-16 10:28 UTC (permalink / raw)
To: J Troy Piper; +Cc: linux-kernel, Alan Cox
In message <20010714170021.B1391@dok.org> you write:
> today) but there seems to be a problem with the ipt_unclean fixes by Rusty
> Russell. ANY incoming packets from any interface (ppp0 and eth0) are
> marked as 'unclean' with some variation on the following syslog entry:
>
> Jul 8 23:16:04 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
Please try this patch which fixes this as well, which is in Linus'
pre-patches.
Rusty.
--
Premature optmztion is rt of all evl. --DK
diff -urN linux-2.4.6/net/ipv4/netfilter/ipt_unclean.c linux-2.4.6-f1/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.6/net/ipv4/netfilter/ipt_unclean.c Wed Jul 4 21:27:32 2001
+++ linux-2.4.6-f1/net/ipv4/netfilter/ipt_unclean.c Thu Jul 5 19:16:00 2001
@@ -268,6 +268,7 @@
int embedded)
{
u_int8_t *opt = (u_int8_t *)tcph;
+ u_int8_t *endhdr = (u_int8_t *)tcph + tcph->doff * 4;
u_int8_t tcpflags;
int end_of_options = 0;
size_t i;
@@ -373,7 +374,7 @@
return 0;
}
/* CHECK: oversize options. */
- else if (opt[i+1] + i >= tcph->doff * 4) {
+ else if (&opt[i] + opt[i+1] > endhdr) {
limpk("TCP option %u at %Zu too long\n",
(unsigned int) opt[i], i);
return 0;
@@ -392,6 +393,7 @@
check_ip(struct iphdr *iph, size_t length, int embedded)
{
u_int8_t *opt = (u_int8_t *)iph;
+ u_int8_t *endhdr = (u_int8_t *)iph + iph->ihl * 4;
int end_of_options = 0;
void *protoh;
size_t datalen;
@@ -444,7 +446,7 @@
return 0;
}
/* CHECK: oversize options. */
- else if (opt[i+1] + i > iph->ihl * 4) {
+ else if (&opt[i] + opt[i+1] > endhdr) {
limpk("IP option %u at %u too long\n",
opt[i], i);
return 0;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes'
2001-07-16 10:28 ` Rusty Russell
@ 2001-07-16 22:09 ` J Troy Piper
0 siblings, 0 replies; 4+ messages in thread
From: J Troy Piper @ 2001-07-16 22:09 UTC (permalink / raw)
To: Rusty Russell; +Cc: J Troy Piper, linux-kernel, Alan Cox
Indeed, the patches work and I see that they have made it into 2.4.5-ac3
with the rest of the Linux -pre merge. Thanks.
Troy.
On Mon, Jul 16, 2001 at 08:28:45PM +1000, Rusty Russell wrote:
> In message <20010714170021.B1391@dok.org> you write:
> > today) but there seems to be a problem with the ipt_unclean fixes by Rusty
> > Russell. ANY incoming packets from any interface (ppp0 and eth0) are
> > marked as 'unclean' with some variation on the following syslog entry:
> >
> > Jul 8 23:16:04 paranoia kernel: ipt_unclean: TCP option 3 at 37 too long
>
> Please try this patch which fixes this as well, which is in Linus'
> pre-patches.
>
> Rusty.
> --
> Premature optmztion is rt of all evl. --DK
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-07-16 22:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-07-14 22:00 [Problem] Linux 2.4.5-ac17 ipt_unclean 'fixes' J Troy Piper
2001-07-14 22:50 ` Josh McKinney
2001-07-16 10:28 ` Rusty Russell
2001-07-16 22:09 ` J Troy Piper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).