* [PATCH 2.4] netfilter ip_conntrack_irc parser fix
@ 2003-07-25 20:50 Harald Welte
0 siblings, 0 replies; only message in thread
From: Harald Welte @ 2003-07-25 20:50 UTC (permalink / raw)
To: David Miller; +Cc: Netfilter Development Mailinglist, Linux Kernel Mailinglist
[-- Attachment #1: Type: text/plain, Size: 2305 bytes --]
Hi Dave!
This is the 3rd of a set of bugfixes (all tested against 2.4.22-pre7).
You might need to apply them incrementally (didn't test it in a
different order). You will receive 2.6 merges of those patches soon.
Author: Harald Welte <laforge@netfilter.org>
This patch fixes a bug in the IRC DCC command parser of ip_conntrack_irc
Please apply,
--- linux/net/ipv4/netfilter/ip_conntrack_irc.c.orig Wed May 7 12:13:55 2003
+++ linux/net/ipv4/netfilter/ip_conntrack_irc.c Wed May 7 13:16:00 2003
@@ -59,7 +59,7 @@
{"TSEND ", 6},
{"SCHAT ", 6}
};
-#define MAXMATCHLEN 6
+#define MINMATCHLEN 5
DECLARE_LOCK(ip_irc_lock);
struct module *ip_conntrack_irc = THIS_MODULE;
@@ -92,9 +92,11 @@
*ip = simple_strtoul(data, &data, 10);
/* skip blanks between ip and port */
- while (*data == ' ')
+ while (*data == ' ') {
+ if (data >= data_end)
+ return -1;
data++;
-
+ }
*port = simple_strtoul(data, &data, 10);
*ad_end_p = data;
@@ -153,13 +155,17 @@
}
data_limit = (char *) data + datalen;
- while (data < (data_limit - (22 + MAXMATCHLEN))) {
+
+ /* strlen("\1DCC SEND t AAAAAAAA P\1\n")=24
+ * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
+ while (data < (data_limit - (19 + MINMATCHLEN))) {
if (memcmp(data, "\1DCC ", 5)) {
data++;
continue;
}
data += 5;
+ /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */
DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n",
NIPQUAD(iph->saddr), ntohs(tcph->source),
@@ -174,6 +180,9 @@
DEBUGP("DCC %s detected\n", dccprotos[i].match);
data += dccprotos[i].matchlen;
+ /* we have at least
+ * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
+ * data left (== 14/13 bytes) */
if (parse_dcc((char *) data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
/* unable to parse */
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-25 21:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-25 20:50 [PATCH 2.4] netfilter ip_conntrack_irc parser fix Harald Welte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).