summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSamuel Gauthier <samuel.gauthier@6wind.com>2009-09-03 15:05:14 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2009-09-03 15:05:14 +0200
commit55b1c38aca5552f3a2140d2cb5406ec1afe67f20 (patch)
tree686ed4ed6ba0092eb0e4ddf51e2b96afd6b22d37 /src
parent9d2c667b951fa67f70bebc863f005dd1d10de91c (diff)
downloadconntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.tar.gz
conntrack-tools-55b1c38aca5552f3a2140d2cb5406ec1afe67f20.zip
conntrackd: better parse_payload protection against corrupted packets
As we get attr->nta_attr directly from net message, it can be corrupted. Hence, we must check that nta_attr value is valid before trying to reach h[attr->nta_attr] element. Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/parse.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/parse.c b/src/parse.c
index 1bdfcc7..b5f257c 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -208,6 +208,8 @@ int parse_payload(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
ATTR_NETWORK2HOST(attr);
if (attr->nta_len > len)
return -1;
+ if (attr->nta_attr > NTA_MAX)
+ return -1;
if (attr->nta_len != h[attr->nta_attr].size)
return -1;
if (h[attr->nta_attr].parse == NULL) {