- 论坛徽章:
- 0
|
- Hi, Jozsef
- Though functions in nf_conntrack_proto_tcp.c never see fragmented packets,
- the implementation of the function, ip_frag_reasm() in linux/net/ipv4/ip_fragment.c,
- does not make sure that the skb seen in nf_conntrack_proto_tcp.c is linearized,
- at least in the case of linux-2.6.22.5 from kernel.org.
- Therefore buff overflow is still a problem, if not a vulnerability,
- in the function of tcp_options(),
- as shown in the following code,
- static struct sk_buff *ip_frag_reasm(struct ipq *qp, struct net_device *dev)
- {
- [...]
- /*
- * head is not linearized,
- * 2008-1-11 22:48 by sisi
- */
- skb_shinfo(head)->frag_list = head->next;
- skb_push(head, head->data - skb_network_header(head));
- atomic_sub(head->truesize, &ip_frag_mem);
- for (fp=head->next; fp; fp = fp->next) {
- head->data_len += fp->len;
- head->len += fp->len;
- if (head->ip_summed != fp->ip_summed)
- head->ip_summed = CHECKSUM_NONE;
- else if (head->ip_summed == CHECKSUM_COMPLETE)
- head->csum = csum_add(head->csum, fp->csum);
- head->truesize += fp->truesize;
- atomic_sub(fp->truesize, &ip_frag_mem);
- }
- head->next = NULL;
- head->dev = dev;
- head->tstamp = qp->stamp;
- iph = ip_hdr(head);
- iph->frag_off = 0;
- iph->tot_len = htons(len);
- IP_INC_STATS_BH(IPSTATS_MIB_REASMOKS);
- qp->fragments = NULL;
- return head;
- [...]
- }
- Best regards,
- Jing
- 2008/1/4, Jozsef Kadlecsik <[email]kadlec@blackhole.kfki.hu[/email]>:
- Hi,
- On Mon, 24 Dec 2007, jing zhang wrote:
- > buffer overflow is discovered in parsing TCP options,
- > in both tcp_sack() and tcp_options() functions,
- > implemented in nf_conntrack_proto_tcp.c of linux-2.6.22/23.x
- >
- > I think it is possible to crash a netfilter-based firewall box with simply
- > constructed TCP SYN packet.
- [...]
- > /*
- > If 108-byte TCP SYN packet is received in
- > the manner of two frags:
- > farg-I, 20-byte-IP + 20-byte-TCP + 24-byte-TCP_OPT
- > and tcp->doff assigned to 0xf
- >
- > farg-II, 20-byte-IP + 16-byte-TCP_OPT + 28-byte-TRASH
- >
- > then the `ptr' is forcedly assigned to `buff',
- > and sizeof(buff) is 40-byte.
- > */
- [...]
- Please note, defragmenting happens before conntrack is called. In other
- words these functions never see fragmented packets. Therefore I think
- there is no such problem in nf_conntrack_proto_tcp.c.
- Best regards,
- Jozsef
- -
- E-mail : [email]kadlec@blackhole.kfki.hu[/email], [email]kadlec@sunserv.kfki.hu[/email]
- PGP key : [url]http://www.kfki.hu/~kadlec/pgp_public_key.txt[/url]
- Address : KFKI Research Institute for Particle and Nuclear Physics
- H-1525 Budapest 114, POB. 49, Hungary
复制代码
though attended, not understood enough yet.
[ 本帖最后由 sisi8408 于 2008-1-13 15:44 编辑 ] |
|