- 论坛徽章:
- 0
|
- \r\nbuffer overflow is discovered in parsing TCP options,\r\nin both tcp_sack() and tcp_options() functions,\r\nimplemented in nf_conntrack_proto_tcp.c of linux-2.6.22/23.x\r\n\r\n/* in linux-2.6.23.8/net/netfilter/nf_conntrack_proto_tcp.c */\r\n\r\nstatic void tcp_options(const struct sk_buff *skb,\r\n unsigned int dataoff,\r\n struct tcphdr *tcph,\r\n struct ip_ct_tcp_state *state)\r\n{\r\n unsigned char buff[(15 *4) - sizeof(struct tcphdr)];\r\n unsigned char *ptr;\r\n int length = (tcph->doff *4) - sizeof(struct tcphdr);\r\n\r\n if (!length)\r\n return;\r\n\r\n/*\r\n If 108-byte TCP SYN packet is received in\r\n the manner of two frags:\r\n farg-I, 20-byte-IP + 20-byte-TCP + 24-byte-TCP_OPT\r\n and tcp->doff assigned to 0xf\r\n\r\n farg-II, 20-byte-IP + 16-byte-TCP_OPT + 28-byte-TRASH\r\n\r\n then the `ptr\' is forcedly assigned to `buff\',\r\n and sizeof(buff) is 40-byte.\r\n*/\r\n\r\n ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),\r\n length, buff);\r\n BUG_ON(ptr == NULL);\r\n\r\n state->td_scale = state->flags = 0;\r\n\r\n/*\r\n the 40-byte-TCP_OPT is simply filled, and\r\n copied into `buff\' by skb_header_pointer(),\r\n buff[0 ... 38] = TCPOPT_NOP ;\r\n buff[39] = TCPOPT_WINDOW ;\r\n*/\r\n\r\n while (length > 0) {\r\n int opcode = *ptr++;\r\n int opsize;\r\n\r\n switch (opcode) {\r\n case TCPOPT_EOL:\r\n return;\r\n\r\n case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */\r\n length--;\r\n continue;\r\n default:\r\n/*\r\n if (opcode == TCPOPT_WINDOW)\r\n buff overflow ;/\r\n*/\r\n opsize = *ptr++;\r\n if (opsize < 2) /* silly options */\r\n return;\r\n if (opsize > length)\r\n break; /* don\'t parse partial options */\r\n\r\n if (opcode == TCPOPT_SACK_PERM\r\n && opsize == TCPOLEN_SACK_PERM)\r\n state->flags |= IP_CT_TCP_FLAG_SACK_PERM;\r\n else if (opcode == TCPOPT_WINDOW\r\n && opsize == TCPOLEN_WINDOW) {\r\n state->td_scale = *(u_int8_t *)ptr;\r\n\r\n if (state->td_scale > 14) {\r\n /* See RFC1323 */\r\n state->td_scale = 14;\r\n }\r\n state->flags |= IP_CT_TCP_FLAG_WINDOW_SCALE;\r\n }\r\n ptr += opsize - 2;\r\n length -= opsize;\r\n }\r\n }\r\n}\r\n
复制代码 |
|