summaryrefslogtreecommitdiff
path: root/src/netlink.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-08-01 00:05:45 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-08-01 00:05:45 +0200
commitfa4eb049a549dfdd48a8f59ef2713694716a6811 (patch)
treeab067ee41acfe6cd5b6c3601ae627b6c03ab72a8 /src/netlink.c
parent21aabc2c4248d389fbf18a9110443371cc678b53 (diff)
downloadconntrack-tools-fa4eb049a549dfdd48a8f59ef2713694716a6811.tar.gz
conntrack-tools-fa4eb049a549dfdd48a8f59ef2713694716a6811.zip
add more sanity checks in the input path
Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c38
1 files changed, 38 insertions, 0 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 1287454..a8a5503 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -26,8 +26,46 @@
#include <string.h>
#include <errno.h>
+static int sanity_check(struct nf_conntrack *ct)
+{
+ if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) {
+ dlog(LOG_ERR, "missing layer 3 protocol");
+ return 0;
+ }
+
+ switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+ dlog(LOG_ERR, "missing IPv4 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv4?");
+ return 0;
+ }
+ break;
+ case AF_INET6:
+ if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+ dlog(LOG_ERR, "missing IPv6 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv6?");
+ return 0;
+ }
+ break;
+ }
+ return 1;
+}
+
int ignore_conntrack(struct nf_conntrack *ct)
{
+ /* missing mandatory attributes in object */
+ if (!sanity_check(ct))
+ return 1;
+
/* Accept DNAT'ed traffic: not really coming to the local machine */
if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
debug_ct(ct, "DNAT");