conntrackd: better parse_payload protection against corrupted packets

As we get attr->nta_attr directly from net message, it can be corrupted. Hence, we must check that nta_attr value is valid before trying to reach h[attr->nta_attr] element. Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Samuel Gauthier <samuel.gauthier@6wind.com> 2009-09-03 15:05:14 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2009-09-03 15:05:14 +0200
commit: 55b1c38aca5552f3a2140d2cb5406ec1afe67f20 (patch)
tree: 686ed4ed6ba0092eb0e4ddf51e2b96afd6b22d37
parent: 9d2c667b951fa67f70bebc863f005dd1d10de91c (diff)
download: conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.tar.gz
conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/parse.c b/src/parse.c
index 1bdfcc7..b5f257c 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -208,6 +208,8 @@ int parse_payload(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
 		ATTR_NETWORK2HOST(attr);
 		if (attr->nta_len > len)
 			return -1;
+		if (attr->nta_attr > NTA_MAX)
+			return -1;
 		if (attr->nta_len != h[attr->nta_attr].size)
 			return -1;
 		if (h[attr->nta_attr].parse == NULL) {
author	Samuel Gauthier <samuel.gauthier@6wind.com>	2009-09-03 15:05:14 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2009-09-03 15:05:14 +0200
commit	55b1c38aca5552f3a2140d2cb5406ec1afe67f20 (patch)
tree	686ed4ed6ba0092eb0e4ddf51e2b96afd6b22d37
parent	9d2c667b951fa67f70bebc863f005dd1d10de91c (diff)
download	conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.tar.gz conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.zip