diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-08-17 12:51:34 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-08-17 12:51:34 +0200 |
| commit | 32ca6a144903b2e6318ee61d1dda3f670d3c09da (patch) | |
| tree | b549df9f96663f7ca6edb66bcb156d9109199313 /src/sync-mode.c | |
| parent | 2c5bed23c8afdd7f349d861fb7e7c8ba33ae3fe1 (diff) | |
| download | conntrack-tools-32ca6a144903b2e6318ee61d1dda3f670d3c09da.tar.gz conntrack-tools-32ca6a144903b2e6318ee61d1dda3f670d3c09da.zip | |
conntrackd: more robust sanity checking on synchronization messages
This patch fixes an infinite loop that can occur if a message of
zero length is received. Moreover, now we always stop the processing
if the message is malformed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/sync-mode.c')
| -rw-r--r-- | src/sync-mode.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/sync-mode.c b/src/sync-mode.c index 8cf7aa3..9e3ac39 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -132,6 +132,7 @@ static int channel_handler_routine(struct channel *m, int i) remain = numbytes; while (remain > 0) { struct nethdr *net = (struct nethdr *) ptr; + int len; if (remain < NETHDR_SIZ) { STATE_SYNC(error).msg_rcv_malformed++; @@ -139,7 +140,8 @@ static int channel_handler_routine(struct channel *m, int i) break; } - if (ntohs(net->len) > remain) { + len = ntohs(net->len); + if (len > remain || len <= 0) { STATE_SYNC(error).msg_rcv_malformed++; STATE_SYNC(error).msg_rcv_bad_size++; break; @@ -149,16 +151,19 @@ static int channel_handler_routine(struct channel *m, int i) if (remain < NETHDR_ACK_SIZ) { STATE_SYNC(error).msg_rcv_malformed++; STATE_SYNC(error).msg_rcv_truncated++; + break; } - if (ntohs(net->len) < NETHDR_ACK_SIZ) { + if (len < NETHDR_ACK_SIZ) { STATE_SYNC(error).msg_rcv_malformed++; STATE_SYNC(error).msg_rcv_bad_size++; + break; } } else { - if (ntohs(net->len) < NETHDR_SIZ) { + if (len < NETHDR_SIZ) { STATE_SYNC(error).msg_rcv_malformed++; STATE_SYNC(error).msg_rcv_bad_size++; + break; } } |