netfilter: nf_ct_helper: disable automatic helper re-assignment of different type

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch modifies __nf_ct_try_assign_helper in a way that invalidates support
for the following scenario:

1) attach the helper A for first time when the conntrack is created
2) attach new (different) helper B due to changes the reply tuple caused by NAT

eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers
loaded, which seems to be a quite unorthodox scenario.

I can provide a more elaborated patch to support this scenario but explicit
helper attachment provides a better solution for this since now the use can
attach the helpers consistently, without relying on the automatic helper
lookup magic.

This patch fixes a possible out of bound zeroing of the conntrack helper
extension if the helper B uses more memory for its private data than
helper A.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 13 years ago 32f53760 fd7462de

+7 -1

1 changed file

expand all

net

netfilter

nf_conntrack_helper.c

+7 -1

net/netfilter/nf_conntrack_helper.c

··· 229 229 goto out; 230 230 } 231 231 } else { 232 - memset(help->data, 0, helper->data_len); 232 + /* We only allow helper re-assignment of the same sort since 233 + * we cannot reallocate the helper extension area. 234 + */ 235 + if (help->helper != helper) { 236 + RCU_INIT_POINTER(help->helper, NULL); 237 + goto out; 238 + } 233 239 } 234 240 235 241 rcu_assign_pointer(help->helper, helper);