diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-08-01 00:05:45 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-08-01 00:05:45 +0200 |
commit | fa4eb049a549dfdd48a8f59ef2713694716a6811 (patch) | |
tree | ab067ee41acfe6cd5b6c3601ae627b6c03ab72a8 | |
parent | 21aabc2c4248d389fbf18a9110443371cc678b53 (diff) | |
download | conntrack-tools-fa4eb049a549dfdd48a8f59ef2713694716a6811.tar.gz conntrack-tools-fa4eb049a549dfdd48a8f59ef2713694716a6811.zip |
add more sanity checks in the input path
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/cache.c | 8 | ||||
-rw-r--r-- | src/netlink.c | 38 |
2 files changed, 38 insertions, 8 deletions
diff --git a/src/cache.c b/src/cache.c index c72afd8..a73854f 100644 --- a/src/cache.c +++ b/src/cache.c @@ -75,14 +75,6 @@ static uint32_t hash(const void *data, struct hashtable *table) ret = __hash4(u->ct, table); break; case AF_INET6: - if (!nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_SRC) || - !nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_DST)) { - dlog(LOG_ERR, "missing IPv6 address. " - "You forgot to load " - "nf_conntrack_ipv6?"); - return 0; - } - ret = __hash6(u->ct, table); break; default: diff --git a/src/netlink.c b/src/netlink.c index 1287454..a8a5503 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -26,8 +26,46 @@ #include <string.h> #include <errno.h> +static int sanity_check(struct nf_conntrack *ct) +{ + if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) { + dlog(LOG_ERR, "missing layer 3 protocol"); + return 0; + } + + switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { + case AF_INET: + if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_IPV4_DST) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) { + dlog(LOG_ERR, "missing IPv4 address. " + "You forgot to load " + "nf_conntrack_ipv4?"); + return 0; + } + break; + case AF_INET6: + if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_IPV6_DST) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) { + dlog(LOG_ERR, "missing IPv6 address. " + "You forgot to load " + "nf_conntrack_ipv6?"); + return 0; + } + break; + } + return 1; +} + int ignore_conntrack(struct nf_conntrack *ct) { + /* missing mandatory attributes in object */ + if (!sanity_check(ct)) + return 1; + /* Accept DNAT'ed traffic: not really coming to the local machine */ if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { debug_ct(ct, "DNAT"); |