netfilter: expect: Make sure the max_expected limit is effective
authorGao Feng <fgao@ikuai8.com>
Fri, 24 Mar 2017 13:32:19 +0000 (21:32 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 6 Apr 2017 16:32:16 +0000 (18:32 +0200)
Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.

Now add the check for max_expected. Return the -EINVAL when it exceeds
the limit.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_conntrack_expect.h
net/netfilter/nf_conntrack_helper.c
net/netfilter/nf_conntrack_irc.c
net/netfilter/nfnetlink_cthelper.c

index 65cc2cb005d937d610a2f072cb4f0f9c61570e60..e84df8d3bf37a7cb99e0a90efd95b283017adcc0 100644 (file)
@@ -73,6 +73,7 @@ struct nf_conntrack_expect_policy {
 };
 
 #define NF_CT_EXPECT_CLASS_DEFAULT     0
+#define NF_CT_EXPECT_MAX_CNT           255
 
 int nf_conntrack_expect_pernet_init(struct net *net);
 void nf_conntrack_expect_pernet_fini(struct net *net);
index 6dc44d9b41900bea12f487e5a044259e92a47f7e..752a977e9eef3bd96233da83624d6a2ef8b9c11b 100644 (file)
@@ -385,6 +385,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
        BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
        BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
 
+       if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
+               return -EINVAL;
+
        mutex_lock(&nf_ct_helper_mutex);
        hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
                if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) {
index 1972a149f958350c6f6dd5f466d36fed152b76fc..1a5af4d4af2dc57f561dbaf0d08722f4579e5eb2 100644 (file)
@@ -243,6 +243,12 @@ static int __init nf_conntrack_irc_init(void)
                return -EINVAL;
        }
 
+       if (max_dcc_channels > NF_CT_EXPECT_MAX_CNT) {
+               pr_err("max_dcc_channels must not be more than %u\n",
+                      NF_CT_EXPECT_MAX_CNT);
+               return -EINVAL;
+       }
+
        irc_exp_policy.max_expected = max_dcc_channels;
        irc_exp_policy.timeout = dcc_timeout;
 
index d45558178da5b62a8ad7c896e096c1862c512091..d5025cc25df388cf0b6d34a4b15f136cc225028d 100644 (file)
@@ -150,6 +150,9 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
                nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
        expect_policy->max_expected =
                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
+       if (expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
+               return -EINVAL;
+
        expect_policy->timeout =
                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
 
@@ -290,6 +293,9 @@ nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
 
        new_policy->max_expected =
                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
+       if (new_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
+               return -EINVAL;
+
        new_policy->timeout =
                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));