kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/net/ipv4
History
Patrick McHardy 4228e2a989 [NETFILTER]: H.323 helper: fix use of uninitialized data 
When a Choice element contains an unsupported choice no error is returned
and parsing continues normally, but the choice value is not set and
contains data from the last parsed message. This may in turn lead to
parsing of more stale data and following crashes.

Fixes a crash triggered by testcase 0003243 from the PROTOS c07-h2250v4
testsuite following random other testcases:

CPU:    0
EIP:    0060:[<c01a9554>]    Not tainted VLI
EFLAGS: 00210646   (2.6.17-rc2 #3)
EIP is at memmove+0x19/0x22
eax: d7be0307   ebx: d7be0307   ecx: e841fcf9   edx: d7be0307
esi: bfffffff   edi: bfffffff   ebp: da5eb980   esp: c0347e2c
ds: 007b   es: 007b   ss: 0068
Process events/0 (pid: 4, threadinfo=c0347000 task=dff86a90)
Stack: <0>00000006 c0347ea6 d7be0301 e09a6b2c 00000006 da5eb980 d7be003e d7be0052
       c0347f6c e09a6d9c 00000006 c0347ea6 00000006 00000000 d7b9a548 00000000
       c0347f6c d7b9a548 00000004 e0a1a119 0000028f 00000006 c0347ea6 00000006
Call Trace:
 [<e09a6b2c>] mangle_contents+0x40/0xd8 [ip_nat]
 [<e09a6d9c>] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat]
 [<e0a1a119>] set_addr+0x60/0x14d [ip_nat_h323]
 [<e0ab6e66>] q931_help+0x2da/0x71a [ip_conntrack_h323]
 [<e0ab6e98>] q931_help+0x30c/0x71a [ip_conntrack_h323]
 [<e09af242>] ip_conntrack_help+0x22/0x2f [ip_conntrack]
 [<c022934a>] nf_iterate+0x2e/0x5f
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c02294ce>] nf_hook_slow+0x42/0xb0
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c025d732>] xfrm4_output+0x3c/0x4e
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c0230370>] ip_forward+0x1c2/0x1fa
 [<c022f417>] ip_rcv+0x388/0x3b5
 [<c02188f9>] netif_receive_skb+0x2bc/0x2ec
 [<c0218994>] process_backlog+0x6b/0xd0
 [<c021675a>] net_rx_action+0x4b/0xb7
 [<c0115606>] __do_softirq+0x35/0x7d
 [<c0104294>] do_softirq+0x38/0x3f

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:17:11 -07:00
..
ipvs [PATCH] sem2mutex: misc static one-file mutexes 2006-03-26 08:56:55 -08:00
netfilter [NETFILTER]: H.323 helper: fix use of uninitialized data 2006-05-03 23:17:11 -07:00
af_inet.c [IPV4]: inet_init() -> fs_initcall 2006-04-29 18:33:14 -07:00
ah4.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00
arp.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
datagram.c [NET]: Fix sparse warnings 2005-08-29 16:01:32 -07:00
devinet.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
esp4.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00
fib_frontend.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
fib_hash.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_lookup.h [IPV4]: Prepare FIB core for RCU. 2005-08-29 16:08:31 -07:00
fib_rules.c [IPV4]: Add fib rule netlink notifications 2006-03-23 01:16:06 -08:00
fib_semantics.c [NETLINK]: illegal use of pid in rtnetlink 2006-02-09 16:43:41 -08:00
fib_trie.c [FIB_TRIE]: Fix leaf freeing. 2006-04-09 22:25:23 -07:00
icmp.c [PATCH] for_each_possible_cpu: network codes 2006-04-11 06:18:31 -07:00
igmp.c [NET]: dev_put/dev_hold cleanup 2006-03-20 22:32:28 -08:00
inet_connection_sock.c [INET]: Fix typo in Arnaldo's connection sock compat fixups. 2006-03-20 22:52:32 -08:00
inet_diag.c [INET_DIAG]: Introduce sk_diag_fill 2006-01-09 14:56:56 -08:00
inet_hashtables.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
inet_timewait_sock.c [TWSK]: Introduce struct timewait_sock_ops 2006-01-03 13:10:54 -08:00
inetpeer.c [NET]: Change some "if (x) BUG();" to "BUG_ON(x);" 2006-01-09 14:16:18 -08:00
ip_forward.c [IPV4]: Remove some dead code from ip_forward() 2005-08-29 16:03:06 -07:00
ip_fragment.c [IPV4] ip_fragment: Always compute hash with ipfrag_lock held. 2006-04-09 22:43:55 -07:00
ip_gre.c [INET]: Use port unreachable instead of proto for tunnels 2006-04-09 22:25:29 -07:00
ip_input.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
ip_options.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_output.c [PATCH] ip_output: account for fraggap when checking to add trailer_len 2006-04-14 16:04:18 -07:00
ip_sockglue.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
ipcomp.c [NET]: Remove redundant NULL checks before [kv]free 2006-04-18 15:57:55 -07:00
ipconfig.c [NET]: Convert RTNL to mutex. 2006-03-20 22:23:58 -08:00
ipip.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
ipmr.c [NET]: dev_put/dev_hold cleanup 2006-03-20 22:32:28 -08:00
Kconfig [INET]: Introduce tunnel4/tunnel6 2006-03-28 17:02:46 -08:00
Makefile [INET]: Introduce tunnel4/tunnel6 2006-03-28 17:02:46 -08:00
multipath.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
multipath_drr.c [IPV4]: possible cleanups 2005-08-29 15:33:20 -07:00
multipath_random.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_rr.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_wrandom.c [IPV4] multipath_wrandom: Fix softirq-unsafe spin lock usage 2006-02-02 16:59:16 -08:00
netfilter.c [NETFILTER]: Add address family specific checksum helpers 2006-04-09 22:25:41 -07:00
proc.c [PATCH] for_each_possible_cpu: network codes 2006-04-11 06:18:31 -07:00
protocol.c [TCP]: Move the tcp sock states to net/tcp_states.h 2005-08-29 15:41:54 -07:00
raw.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
route.c [IPV4]: ip_route_input panic fix 2006-04-17 17:27:11 -07:00
syncookies.c [ICSK]: Rename struct tcp_func to struct inet_connection_sock_af_ops 2006-01-03 13:10:38 -08:00
sysctl_net_ipv4.c [TCP]: sysctl to allow TCP window > 32767 sans wscale 2006-03-20 22:40:29 -08:00
tcp.c Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2006-03-25 08:39:20 -08:00
tcp_bic.c [TCP] BIC: spelling and whitespace 2006-01-03 13:10:27 -08:00
tcp_cong.c [TCP]: Fix RFC2465 typo. 2006-03-28 17:02:47 -08:00
tcp_cubic.c [TCP] cubic: use Newton-Raphson 2006-01-03 13:11:09 -08:00
tcp_diag.c [INET_DIAG]: Move the tcp_diag interface to the proper place 2005-08-29 15:57:54 -07:00
tcp_highspeed.c [TCP]: tcp_highspeed: fix AIMD table out-of-bounds access 2006-03-12 20:39:39 -08:00
tcp_htcp.c [TCP] H-TCP: Better time accounting 2006-03-20 22:23:10 -08:00
tcp_hybla.c [TCP]: fix congestion window update when using TSO deferal 2005-11-10 16:53:30 -08:00
tcp_input.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
tcp_ipv4.c [IPV4]: Possible cleanups. 2006-04-14 15:00:20 -07:00
tcp_minisocks.c [IPV6]: Introduce inet6_timewait_sock 2006-01-03 13:10:47 -08:00
tcp_output.c [TCP]: Fix unlikely usage in tcp_transmit_skb() 2006-04-29 18:33:19 -07:00
tcp_scalable.c [TCP]: add tcp_slow_start helper 2005-11-10 17:07:24 -08:00
tcp_timer.c [TCP]: MTU probing 2006-03-20 17:53:41 -08:00
tcp_vegas.c [TCP] tcp_vegas: Fix slow start 2006-01-04 13:59:32 -08:00
tcp_westwood.c [INET_DIAG]: Rename tcp_diag.[ch] to inet_diag.[ch] 2005-08-29 15:57:48 -07:00
tunnel4.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
udp.c [NET]: Identation & other cleanups related to compat_[gs]etsockopt cset 2006-03-20 22:48:35 -08:00
xfrm4_input.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
xfrm4_output.c [IPSEC]: Fix IP ID selection 2006-04-29 18:33:16 -07:00
xfrm4_policy.c [IPSEC]: Use TOS when doing tunnel lookups 2006-02-23 16:19:26 -08:00
xfrm4_state.c [XFRM]: IPsec tunnel wildcard address support 2006-01-13 14:34:36 -08:00
xfrm4_tunnel.c [IPSEC]: Kill unused decap state argument 2006-04-01 00:52:46 -08:00