summaryrefslogtreecommitdiff
path: root/src/sync-mode.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-05-18 21:16:05 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-05-18 21:16:05 +0200
commitdb91cafe5b72f9f591dd8c168427005503186c01 (patch)
treefa4ab2a1e6a4fcf34249fefb1792412c9ccc8f0f /src/sync-mode.c
parentbe2450f37f2ce56eadc78793efc4a54ced4315c6 (diff)
downloadconntrack-tools-db91cafe5b72f9f591dd8c168427005503186c01.tar.gz
conntrack-tools-db91cafe5b72f9f591dd8c168427005503186c01.zip
improve network message sanity checkings
Diffstat (limited to 'src/sync-mode.c')
-rw-r--r--src/sync-mode.c41
1 files changed, 30 insertions, 11 deletions
diff --git a/src/sync-mode.c b/src/sync-mode.c
index a952a5b..7d73e2f 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -34,10 +34,9 @@
#include <string.h>
#include <stdlib.h>
-static void do_mcast_handler_step(struct nethdr *net)
+static void do_mcast_handler_step(struct nethdr *net, size_t remain)
{
int query;
- struct netpld *pld = NETHDR_DATA(net);
char __ct[nfct_maxsize()];
struct nf_conntrack *ct = (struct nf_conntrack *)(void*) __ct;
struct us_conntrack *u;
@@ -57,8 +56,11 @@ static void do_mcast_handler_step(struct nethdr *net)
memset(ct, 0, sizeof(__ct));
- /* XXX: check for malformed */
- parse_netpld(ct, pld, &query);
+ if (parse_netpld(ct, net, &query, remain) == -1) {
+ STATE(malformed)++;
+ dlog(LOG_ERR, "parsing failed: malformed message");
+ return;
+ }
switch(query) {
case NFCT_Q_CREATE:
@@ -91,6 +93,7 @@ retry:
debug_ct(ct, "can't destroy");
break;
default:
+ STATE(malformed)++;
dlog(LOG_ERR, "mcast unknown query %d\n", query);
break;
}
@@ -113,24 +116,40 @@ static void mcast_handler(void)
if (remain < NETHDR_SIZ) {
STATE(malformed)++;
+ dlog(LOG_WARNING, "no room for header");
break;
}
if (ntohs(net->len) > remain) {
- dlog(LOG_ERR, "fragmented messages");
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "fragmented message");
break;
}
+ if (IS_CTL(net)) {
+ if (remain < NETHDR_ACK_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "no room for ctl message");
+ }
+
+ if (ntohs(net->len) < NETHDR_ACK_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "ctl header too small");
+ }
+ } else {
+ if (ntohs(net->len) < NETHDR_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "header too small");
+ }
+ }
+
debug("recv sq: %u fl:%u len:%u (rem:%d)\n",
ntohl(net->seq), ntohs(net->flags),
ntohs(net->len), remain);
- /* sanity check and convert nethdr to host byte order */
- if (handle_netmsg(net) == -1) {
- STATE(malformed)++;
- return;
- }
- do_mcast_handler_step(net);
+ HDR_NETWORK2HOST(net);
+
+ do_mcast_handler_step(net, remain);
ptr += net->len;
remain -= net->len;
}