Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Florian Westhal says:

====================
netfilter: bugfixes for net

The following set contains four netfilter patches for your *net* tree.

When there are multiple Contact headers in a SIP message its possible
the next headers won't be found because the SIP helper confuses relative
and absolute offsets in the message. From Igor Ryzhov.

Make the nft_concat_range self-test support socat, this makes the
selftest pass on my test VM, from myself.

nf_conntrack_irc helper can be tricked into opening a local port forward
that the client never requested by embedding a DCC message in a PING
request sent to the client. Fix from David Leadbeater.

Both have been broken since the kernel 2.6.x days.

The 'osf' match might indicate success while it could not find
anything, broken since 5.2 . Fix from Pablo Neira.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 3 years ago df2a6017 26b12249

+86 -21

4 changed files

expand all

net

netfilter

nf_conntrack_irc.c

nf_conntrack_sip.c

nfnetlink_osf.c

tools

testing

selftests

netfilter

nft_concat_range.sh

+28 -6

net/netfilter/nf_conntrack_irc.c

··· 157 157 data = ib_ptr; 158 158 data_limit = ib_ptr + datalen; 159 159 160 - /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 161 - * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ 162 - while (data < data_limit - (19 + MINMATCHLEN)) { 163 - if (memcmp(data, "\1DCC ", 5)) { 160 + /* Skip any whitespace */ 161 + while (data < data_limit - 10) { 162 + if (*data == ' ' || *data == '\r' || *data == '\n') 163 + data++; 164 + else 165 + break; 166 + } 167 + 168 + /* strlen("PRIVMSG x ")=10 */ 169 + if (data < data_limit - 10) { 170 + if (strncasecmp("PRIVMSG ", data, 8)) 171 + goto out; 172 + data += 8; 173 + } 174 + 175 + /* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26 176 + * 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26 177 + */ 178 + while (data < data_limit - (21 + MINMATCHLEN)) { 179 + /* Find first " :", the start of message */ 180 + if (memcmp(data, " :", 2)) { 164 181 data++; 165 182 continue; 166 183 } 184 + data += 2; 185 + 186 + /* then check that place only for the DCC command */ 187 + if (memcmp(data, "\1DCC ", 5)) 188 + goto out; 167 189 data += 5; 168 - /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ 190 + /* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */ 169 191 170 192 iph = ip_hdr(skb); 171 193 pr_debug("DCC found in master %pI4:%u %pI4:%u\n", ··· 203 181 pr_debug("DCC %s detected\n", dccprotos[i]); 204 182 205 183 /* we have at least 206 - * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid 184 + * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid 207 185 * data left (== 14/13 bytes) */ 208 186 if (parse_dcc(data, data_limit, &dcc_ip, 209 187 &dcc_port, &addr_beg_p, &addr_end_p)) {

+2 -2

net/netfilter/nf_conntrack_sip.c

··· 477 477 return ret; 478 478 if (ret == 0) 479 479 break; 480 - dataoff += *matchoff; 480 + dataoff = *matchoff; 481 481 } 482 482 *in_header = 0; 483 483 } ··· 489 489 break; 490 490 if (ret == 0) 491 491 return ret; 492 - dataoff += *matchoff; 492 + dataoff = *matchoff; 493 493 } 494 494 495 495 if (in_header)

+3 -1

net/netfilter/nfnetlink_osf.c

··· 269 269 struct nf_osf_hdr_ctx ctx; 270 270 const struct tcphdr *tcp; 271 271 struct tcphdr _tcph; 272 + bool found = false; 272 273 273 274 memset(&ctx, 0, sizeof(ctx)); 274 275 ··· 284 283 285 284 data->genre = f->genre; 286 285 data->version = f->version; 286 + found = true; 287 287 break; 288 288 } 289 289 290 - return true; 290 + return found; 291 291 } 292 292 EXPORT_SYMBOL_GPL(nf_osf_find); 293 293

+53 -12

tools/testing/selftests/netfilter/nft_concat_range.sh

··· 91 91 start 1 92 92 count 5 93 93 src_delta 2000 94 - tools sendip nc bash 94 + tools sendip socat nc bash 95 95 proto udp 96 96 97 97 race_repeat 3 ··· 116 116 start 10 117 117 count 5 118 118 src_delta 2000 119 - tools sendip nc bash 119 + tools sendip socat nc bash 120 120 proto udp6 121 121 122 122 race_repeat 3 ··· 141 141 start 1 142 142 count 5 143 143 src_delta 2000 144 - tools sendip nc bash 144 + tools sendip socat nc bash 145 145 proto udp 146 146 147 147 race_repeat 0 ··· 163 163 start 10 164 164 count 5 165 165 src_delta 2000 166 - tools sendip nc bash 166 + tools sendip socat nc bash 167 167 proto udp6 168 168 169 169 race_repeat 0 ··· 185 185 start 10 186 186 count 5 187 187 src_delta 2000 188 - tools sendip nc bash 188 + tools sendip socat nc bash 189 189 proto udp6 190 190 191 191 race_repeat 0 ··· 207 207 start 1 208 208 count 5 209 209 src_delta 2000 210 - tools sendip nc bash 210 + tools sendip socat nc bash 211 211 proto udp 212 212 213 213 race_repeat 3 ··· 227 227 start 10 228 228 count 5 229 229 src_delta 2000 230 - tools sendip nc 230 + tools sendip socat nc 231 231 proto udp6 232 232 233 233 race_repeat 3 ··· 247 247 start 1 248 248 count 5 249 249 src_delta 2000 250 - tools sendip nc bash 250 + tools sendip socat nc bash 251 251 proto udp 252 252 253 253 race_repeat 0 ··· 264 264 start 1 265 265 count 5 266 266 src_delta 2000 267 - tools sendip nc bash 267 + tools sendip socat nc bash 268 268 proto udp 269 269 270 270 race_repeat 0 ··· 286 286 start 1 287 287 count 5 288 288 src_delta 2000 289 - tools sendip nc bash 289 + tools sendip socat nc bash 290 290 proto udp 291 291 292 292 race_repeat 0 ··· 337 337 start 1 338 338 count 5 339 339 src_delta 2000 340 - tools sendip nc 340 + tools sendip socat nc 341 341 proto udp 342 342 343 343 race_repeat 3 ··· 363 363 start 1 364 364 count 1 365 365 src_delta 2000 366 - tools sendip nc bash 366 + tools sendip socat nc bash 367 367 proto udp 368 368 369 369 race_repeat 0 ··· 541 541 dst_port= 542 542 src_addr4= 543 543 } 544 + elif command -v socat -v >/dev/null; then 545 + send_udp() { 546 + if [ -n "${src_addr4}" ]; then 547 + B ip addr add "${src_addr4}" dev veth_b 548 + __socatbind=",bind=${src_addr4}" 549 + if [ -n "${src_port}" ];then 550 + __socatbind="${__socatbind}:${src_port}" 551 + fi 552 + fi 553 + 554 + ip addr add "${dst_addr4}" dev veth_a 2>/dev/null 555 + [ -z "${dst_port}" ] && dst_port=12345 556 + 557 + echo "test4" | B socat -t 0.01 STDIN UDP4-DATAGRAM:${dst_addr4}:${dst_port}"${__socatbind}" 558 + 559 + src_addr4= 560 + src_port= 561 + } 544 562 elif command -v nc >/dev/null; then 545 563 if nc -u -w0 1.1.1.1 1 2>/dev/null; then 546 564 # OpenBSD netcat ··· 623 605 src_port= 624 606 dst_port= 625 607 src_addr6= 608 + } 609 + elif command -v socat -v >/dev/null; then 610 + send_udp6() { 611 + ip -6 addr add "${dst_addr6}" dev veth_a nodad \ 612 + 2>/dev/null 613 + 614 + __socatbind6= 615 + 616 + if [ -n "${src_addr6}" ]; then 617 + if [ -n "${src_addr6} != "${src_addr6_added} ]; then 618 + B ip addr add "${src_addr6}" dev veth_b nodad 619 + 620 + src_addr6_added=${src_addr6} 621 + fi 622 + 623 + __socatbind6=",bind=[${src_addr6}]" 624 + 625 + if [ -n "${src_port}" ] ;then 626 + __socatbind6="${__socatbind6}:${src_port}" 627 + fi 628 + fi 629 + 630 + echo "test6" | B socat -t 0.01 STDIN UDP6-DATAGRAM:[${dst_addr6}]:${dst_port}"${__socatbind6}" 626 631 } 627 632 elif command -v nc >/dev/null && nc -u -w0 1.1.1.1 1 2>/dev/null; then 628 633 # GNU netcat might not work with IPv6, try next tool