* [PATCH 2.6] netfilter ip_conntrack_irc parser fix
@ 2003-07-25 20:52 Harald Welte
0 siblings, 0 replies; only message in thread
From: Harald Welte @ 2003-07-25 20:52 UTC (permalink / raw)
To: David Miller; +Cc: Netfilter Development Mailinglist, Linux Kernel Mailinglist
[-- Attachment #1: Type: text/plain, Size: 2433 bytes --]
Hi Dave!
This is the 3rd of my 2.6 merge of the recent bugfixes (all tested
against 2.4.22-pre7). You might need to apply them incrementally
(didn't test it in a different order). You will receive 2.6 merges of
those patches soon.
Author: Harald Welte <laforge@netfilter.org>
This patch fixes a bug in the IRC DCC command parser of ip_conntrack_irc
Please apply,
--- linux-2.6.0-test1/net/ipv4/netfilter/ip_conntrack_irc.c 2003-07-14 05:36:48.000000000 +0200
+++ linux-2.6.0-test1-nftest2/net/ipv4/netfilter/ip_conntrack_irc.c 2003-07-19 11:41:49.000000000 +0200
@@ -54,7 +54,7 @@
#endif
static char *dccprotos[] = { "SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT " };
-#define MAXMATCHLEN 6
+#define MINMATCHLEN 5
DECLARE_LOCK(ip_irc_lock);
struct module *ip_conntrack_irc = THIS_MODULE;
@@ -87,9 +87,11 @@
*ip = simple_strtoul(data, &data, 10);
/* skip blanks between ip and port */
- while (*data == ' ')
+ while (*data == ' ') {
+ if (data >= data_end)
+ return -1;
data++;
-
+ }
*port = simple_strtoul(data, &data, 10);
*ad_end_p = data;
@@ -139,13 +141,17 @@
data = irc_buffer;
data_limit = irc_buffer + skb->len - dataoff;
- while (data < (data_limit - (22 + MAXMATCHLEN))) {
+
+ /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24
+ * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
+ while (data < (data_limit - (19 + MINMATCHLEN))) {
if (memcmp(data, "\1DCC ", 5)) {
data++;
continue;
}
data += 5;
+ /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */
DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n",
NIPQUAD(iph->saddr), ntohs(tcph.source),
@@ -159,6 +165,9 @@
DEBUGP("DCC %s detected\n", dccprotos[i]);
data += strlen(dccprotos[i]);
+ /* we have at least
+ * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
+ * data left (== 14/13 bytes) */
if (parse_dcc((char *)data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
/* unable to parse */
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-25 20:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-25 20:52 [PATCH 2.6] netfilter ip_conntrack_irc parser fix Harald Welte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).