Commit f41d5bb1 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: SNMP NAT: fix memory corruption

Fix memory corruption caused by snmp_trap_decode:

- When snmp_trap_decode fails before the id and address are allocated,
  the pointers contain random memory, but are freed by the caller
  (snmp_parse_mangle).

- When snmp_trap_decode fails after allocating just the ID, it tries
  to free both address and ID, but the address pointer still contains
  random memory. The caller frees both ID and random memory again.

- When snmp_trap_decode fails after allocating both, it frees both,
  and the callers frees both again.

The corruption can be triggered remotely when the ip_nat_snmp_basic
module is loaded and traffic on port 161 or 162 is NATed.

Found by multiple testcases of the trap-app and trap-enc groups of the
PROTOS c06-snmpv1 testsuite.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f5565f4a
...@@ -1003,12 +1003,12 @@ static unsigned char snmp_trap_decode(struct asn1_ctx *ctx, ...@@ -1003,12 +1003,12 @@ static unsigned char snmp_trap_decode(struct asn1_ctx *ctx,
return 1; return 1;
err_addr_free:
kfree((unsigned long *)trap->ip_address);
err_id_free: err_id_free:
kfree(trap->id); kfree(trap->id);
err_addr_free:
kfree((unsigned long *)trap->ip_address);
return 0; return 0;
} }
...@@ -1126,11 +1126,10 @@ static int snmp_parse_mangle(unsigned char *msg, ...@@ -1126,11 +1126,10 @@ static int snmp_parse_mangle(unsigned char *msg,
struct snmp_v1_trap trap; struct snmp_v1_trap trap;
unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
/* Discard trap allocations regardless */ if (ret) {
kfree(trap.id); kfree(trap.id);
kfree((unsigned long *)trap.ip_address); kfree((unsigned long *)trap.ip_address);
} else
if (!ret)
return ret; return ret;
} else { } else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment