1. 03 Jun, 2015 4 commits
  2. 02 Jun, 2015 10 commits
  3. 26 May, 2015 24 commits
  4. 21 May, 2015 1 commit
  5. 20 May, 2015 1 commit
    • Ian Wilson's avatar
      netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() · 93091169
      Ian Wilson authored
      [ upstream commit 78146572 ]
      
      nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
      nfnl_cthelper_get() and nfnl_cthelper_del().  In each case they pass
      a pointer to an nf_conntrack_tuple data structure local variable:
      
          struct nf_conntrack_tuple tuple;
          ...
          ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
      
      The problem is that this local variable is not initialized, and
      nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
      dst.protonum.  This leaves all other fields with undefined values
      based on whatever is on the stack:
      
          tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
          tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
      
      The symptom observed was that when the rpc and tns helpers were added
      then traffic to port 1536 was being sent to user-space.
      Signed-off-by: default avatarIan Wilson <iwilson@brocade.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      93091169