diff options
author | Samuel Gauthier <samuel.gauthier@6wind.com> | 2009-09-03 15:05:14 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-09-03 15:05:14 +0200 |
commit | 55b1c38aca5552f3a2140d2cb5406ec1afe67f20 (patch) | |
tree | 686ed4ed6ba0092eb0e4ddf51e2b96afd6b22d37 /src | |
parent | 9d2c667b951fa67f70bebc863f005dd1d10de91c (diff) | |
download | conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.tar.gz conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.zip |
conntrackd: better parse_payload protection against corrupted packets
As we get attr->nta_attr directly from net message, it can be corrupted.
Hence, we must check that nta_attr value is valid before trying to reach
h[attr->nta_attr] element.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/parse.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/parse.c b/src/parse.c index 1bdfcc7..b5f257c 100644 --- a/src/parse.c +++ b/src/parse.c @@ -208,6 +208,8 @@ int parse_payload(struct nf_conntrack *ct, struct nethdr *net, size_t remain) ATTR_NETWORK2HOST(attr); if (attr->nta_len > len) return -1; + if (attr->nta_attr > NTA_MAX) + return -1; if (attr->nta_len != h[attr->nta_attr].size) return -1; if (h[attr->nta_attr].parse == NULL) { |