[NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink

Invalid states can cause out-of-bound memory accesses of the state table. Also don't insist on having a new state contained in the netlink message. Signed-off-by: Patrick McHardy <kaber@trash.net>

[NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlink
Invalid states can cause out-of-bound memory accesses of the state table. Also don't insist on having a new state contained in the netlink message. Signed-off-by: Patrick McHardy <kaber@trash.net>
5f7da4d2 · Patrick McHardy · dd13b010 · 5f7da4d2
Commit 5f7da4d2 authored Apr 14, 2008 by Patrick McHardy
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

net/netfilter/nf_conntrack_proto_tcp.c net/netfilter/nf_conntrack_proto_tcp.c +4 -2

No files found.
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1129,11 +1129,13 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
 	if (err < 0)
 		return err;

-	if (!tb[CTA_PROTOINFO_TCP_STATE])
+	if (tb[CTA_PROTOINFO_TCP_STATE] &&
+	    nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
 		return -EINVAL;

 	write_lock_bh(&tcp_lock);
-	ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
+	if (tb[CTA_PROTOINFO_TCP_STATE])
+		ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);

 	if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
 		struct nf_ct_tcp_flags *attr =