Commit df2a6017 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westhal says:

====================
netfilter: bugfixes for net

The following set contains four netfilter patches for your *net* tree.

When there are multiple Contact headers in a SIP message its possible
the next headers won't be found because the SIP helper confuses relative
and absolute offsets in the message.  From Igor Ryzhov.

Make the nft_concat_range self-test support socat, this makes the
selftest pass on my test VM, from myself.

nf_conntrack_irc helper can be tricked into opening a local port forward
that the client never requested by embedding a DCC message in a PING
request sent to the client.  Fix from David Leadbeater.

Both have been broken since the kernel 2.6.x days.

The 'osf' match might indicate success while it could not find
anything, broken since 5.2 .  Fix from Pablo Neira.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 26b12249 559c36c5
...@@ -157,15 +157,37 @@ static int help(struct sk_buff *skb, unsigned int protoff, ...@@ -157,15 +157,37 @@ static int help(struct sk_buff *skb, unsigned int protoff,
data = ib_ptr; data = ib_ptr;
data_limit = ib_ptr + datalen; data_limit = ib_ptr + datalen;
/* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 /* Skip any whitespace */
* 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ while (data < data_limit - 10) {
while (data < data_limit - (19 + MINMATCHLEN)) { if (*data == ' ' || *data == '\r' || *data == '\n')
if (memcmp(data, "\1DCC ", 5)) { data++;
else
break;
}
/* strlen("PRIVMSG x ")=10 */
if (data < data_limit - 10) {
if (strncasecmp("PRIVMSG ", data, 8))
goto out;
data += 8;
}
/* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26
* 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26
*/
while (data < data_limit - (21 + MINMATCHLEN)) {
/* Find first " :", the start of message */
if (memcmp(data, " :", 2)) {
data++; data++;
continue; continue;
} }
data += 2;
/* then check that place only for the DCC command */
if (memcmp(data, "\1DCC ", 5))
goto out;
data += 5; data += 5;
/* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ /* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */
iph = ip_hdr(skb); iph = ip_hdr(skb);
pr_debug("DCC found in master %pI4:%u %pI4:%u\n", pr_debug("DCC found in master %pI4:%u %pI4:%u\n",
...@@ -181,7 +203,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, ...@@ -181,7 +203,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
pr_debug("DCC %s detected\n", dccprotos[i]); pr_debug("DCC %s detected\n", dccprotos[i]);
/* we have at least /* we have at least
* (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid
* data left (== 14/13 bytes) */ * data left (== 14/13 bytes) */
if (parse_dcc(data, data_limit, &dcc_ip, if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) { &dcc_port, &addr_beg_p, &addr_end_p)) {
......
...@@ -477,7 +477,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, ...@@ -477,7 +477,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
return ret; return ret;
if (ret == 0) if (ret == 0)
break; break;
dataoff += *matchoff; dataoff = *matchoff;
} }
*in_header = 0; *in_header = 0;
} }
...@@ -489,7 +489,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, ...@@ -489,7 +489,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
break; break;
if (ret == 0) if (ret == 0)
return ret; return ret;
dataoff += *matchoff; dataoff = *matchoff;
} }
if (in_header) if (in_header)
......
...@@ -269,6 +269,7 @@ bool nf_osf_find(const struct sk_buff *skb, ...@@ -269,6 +269,7 @@ bool nf_osf_find(const struct sk_buff *skb,
struct nf_osf_hdr_ctx ctx; struct nf_osf_hdr_ctx ctx;
const struct tcphdr *tcp; const struct tcphdr *tcp;
struct tcphdr _tcph; struct tcphdr _tcph;
bool found = false;
memset(&ctx, 0, sizeof(ctx)); memset(&ctx, 0, sizeof(ctx));
...@@ -283,10 +284,11 @@ bool nf_osf_find(const struct sk_buff *skb, ...@@ -283,10 +284,11 @@ bool nf_osf_find(const struct sk_buff *skb,
data->genre = f->genre; data->genre = f->genre;
data->version = f->version; data->version = f->version;
found = true;
break; break;
} }
return true; return found;
} }
EXPORT_SYMBOL_GPL(nf_osf_find); EXPORT_SYMBOL_GPL(nf_osf_find);
......
...@@ -91,7 +91,7 @@ src ...@@ -91,7 +91,7 @@ src
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 3 race_repeat 3
...@@ -116,7 +116,7 @@ src ...@@ -116,7 +116,7 @@ src
start 10 start 10
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp6 proto udp6
race_repeat 3 race_repeat 3
...@@ -141,7 +141,7 @@ src ...@@ -141,7 +141,7 @@ src
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 0 race_repeat 0
...@@ -163,7 +163,7 @@ src mac ...@@ -163,7 +163,7 @@ src mac
start 10 start 10
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp6 proto udp6
race_repeat 0 race_repeat 0
...@@ -185,7 +185,7 @@ src mac proto ...@@ -185,7 +185,7 @@ src mac proto
start 10 start 10
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp6 proto udp6
race_repeat 0 race_repeat 0
...@@ -207,7 +207,7 @@ src addr4 ...@@ -207,7 +207,7 @@ src addr4
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 3 race_repeat 3
...@@ -227,7 +227,7 @@ src addr6 port ...@@ -227,7 +227,7 @@ src addr6 port
start 10 start 10
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc tools sendip socat nc
proto udp6 proto udp6
race_repeat 3 race_repeat 3
...@@ -247,7 +247,7 @@ src mac proto addr4 ...@@ -247,7 +247,7 @@ src mac proto addr4
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 0 race_repeat 0
...@@ -264,7 +264,7 @@ src mac ...@@ -264,7 +264,7 @@ src mac
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 0 race_repeat 0
...@@ -286,7 +286,7 @@ src mac addr4 ...@@ -286,7 +286,7 @@ src mac addr4
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 0 race_repeat 0
...@@ -337,7 +337,7 @@ src addr4 ...@@ -337,7 +337,7 @@ src addr4
start 1 start 1
count 5 count 5
src_delta 2000 src_delta 2000
tools sendip nc tools sendip socat nc
proto udp proto udp
race_repeat 3 race_repeat 3
...@@ -363,7 +363,7 @@ src mac ...@@ -363,7 +363,7 @@ src mac
start 1 start 1
count 1 count 1
src_delta 2000 src_delta 2000
tools sendip nc bash tools sendip socat nc bash
proto udp proto udp
race_repeat 0 race_repeat 0
...@@ -541,6 +541,24 @@ setup_send_udp() { ...@@ -541,6 +541,24 @@ setup_send_udp() {
dst_port= dst_port=
src_addr4= src_addr4=
} }
elif command -v socat -v >/dev/null; then
send_udp() {
if [ -n "${src_addr4}" ]; then
B ip addr add "${src_addr4}" dev veth_b
__socatbind=",bind=${src_addr4}"
if [ -n "${src_port}" ];then
__socatbind="${__socatbind}:${src_port}"
fi
fi
ip addr add "${dst_addr4}" dev veth_a 2>/dev/null
[ -z "${dst_port}" ] && dst_port=12345
echo "test4" | B socat -t 0.01 STDIN UDP4-DATAGRAM:${dst_addr4}:${dst_port}"${__socatbind}"
src_addr4=
src_port=
}
elif command -v nc >/dev/null; then elif command -v nc >/dev/null; then
if nc -u -w0 1.1.1.1 1 2>/dev/null; then if nc -u -w0 1.1.1.1 1 2>/dev/null; then
# OpenBSD netcat # OpenBSD netcat
...@@ -606,6 +624,29 @@ setup_send_udp6() { ...@@ -606,6 +624,29 @@ setup_send_udp6() {
dst_port= dst_port=
src_addr6= src_addr6=
} }
elif command -v socat -v >/dev/null; then
send_udp6() {
ip -6 addr add "${dst_addr6}" dev veth_a nodad \
2>/dev/null
__socatbind6=
if [ -n "${src_addr6}" ]; then
if [ -n "${src_addr6} != "${src_addr6_added} ]; then
B ip addr add "${src_addr6}" dev veth_b nodad
src_addr6_added=${src_addr6}
fi
__socatbind6=",bind=[${src_addr6}]"
if [ -n "${src_port}" ] ;then
__socatbind6="${__socatbind6}:${src_port}"
fi
fi
echo "test6" | B socat -t 0.01 STDIN UDP6-DATAGRAM:[${dst_addr6}]:${dst_port}"${__socatbind6}"
}
elif command -v nc >/dev/null && nc -u -w0 1.1.1.1 1 2>/dev/null; then elif command -v nc >/dev/null && nc -u -w0 1.1.1.1 1 2>/dev/null; then
# GNU netcat might not work with IPv6, try next tool # GNU netcat might not work with IPv6, try next tool
send_udp6() { send_udp6() {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment