linux/net/ipv4/netfilter, branch v2.6.17

[NETFILTER]: PPTP helper: fix sstate/cstate typo

2006-05-29T05:51:05Z

Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: mark H.323 helper experimental

2006-05-29T05:50:40Z

Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Fix small information leak in SO_ORIGINAL_DST (CVE-2006-1343)

2006-05-29T05:50:18Z

It appears that sockaddr_in.sin_zero is not zeroed during getsockopt(...SO_ORIGINAL_DST...) operation. This can lead to an information leak (CVE-2006-1343). Signed-off-by: Marcel Holtmann Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: SNMP NAT: fix memleak in snmp_object_decode

2006-05-23T22:15:13Z

If kmalloc fails, error path leaks data allocated from asn1_oid_decode(). Signed-off-by: Chris Wright Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: H.323 helper: fix sequence extension parsing

2006-05-23T22:15:10Z

When parsing unknown sequence extensions the "son"-pointer points behind the last known extension for this type, don't try to interpret it. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: H.323 helper: fix parser error propagation

2006-05-23T22:15:08Z

The condition "> H323_ERROR_STOP" can never be true since H323_ERROR_STOP is positive and is the highest possible return code, while real errors are negative, fix the checks. Also only abort on real errors in some spots that were just interpreting any return value != 0 as error. Fixes crashes caused by use of stale data after a parsing error occured: BUG: unable to handle kernel paging request at virtual address bfffffff printing eip: c01aa0f8 *pde = 1a801067 *pte = 00000000 Oops: 0000 [#1] PREEMPT Modules linked in: ip_nat_h323 ip_conntrack_h323 nfsd exportfs sch_sfq sch_red cls_fw sch_hfsc xt_length ipt_owner xt_MARK iptable_mangle nfs lockd sunrpc pppoe pppoxx CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00210646 (2.6.17-rc4 #8) EIP is at memmove+0x19/0x22 eax: d77264e9 ebx: d77264e9 ecx: e88d9b17 edx: d77264e9 esi: bfffffff edi: bfffffff ebp: de6a7680 esp: c0349db8 ds: 007b es: 007b ss: 0068 Process asterisk (pid: 3765, threadinfo=c0349000 task=da068540) Stack: <0>00000006 c0349e5e d77264e3 e09a2b4e e09a38a0 d7726052 d7726124 00000491 00000006 00000006 00000006 00000491 de6a7680 d772601e d7726032 c0349f74 e09a2dc2 00000006 c0349e5e 00000006 00000000 d76dda28 00000491 c0349f74 Call Trace: [] mangle_contents+0x62/0xfe [ip_nat] [] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat] [] set_addr+0x74/0x14c [ip_nat_h323] [] process_setup+0x11b/0x29e [ip_conntrack_h323] [] process_setup+0x14c/0x29e [ip_conntrack_h323] [] process_q931+0x3c/0x142 [ip_conntrack_h323] [] q931_help+0xe0/0x144 [ip_conntrack_h323] ... Found by the PROTOS c07-h2250v4 testsuite. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: SNMP NAT: fix memory corruption

2006-05-22T23:55:14Z

Fix memory corruption caused by snmp_trap_decode: - When snmp_trap_decode fails before the id and address are allocated, the pointers contain random memory, but are freed by the caller (snmp_parse_mangle). - When snmp_trap_decode fails after allocating just the ID, it tries to free both address and ID, but the address pointer still contains random memory. The caller frees both ID and random memory again. - When snmp_trap_decode fails after allocating both, it frees both, and the callers frees both again. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. Found by multiple testcases of the trap-app and trap-enc groups of the PROTOS c06-snmpv1 testsuite. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)

2006-05-19T09:16:52Z

Solar Designer found a race condition in do_add_counters(). The beginning of paddc is supposed to be the same as tmp which was sanity-checked above, but it might not be the same in reality. In case the integer overflow and/or the race condition are triggered, paddc->num_counters might not match the allocation size for paddc. If the check below (t->private->number != paddc->num_counters) nevertheless passes (perhaps this requires the race condition to be triggered), IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, potentially causing an oops or leaking sensitive data (e.g., passwords from host system or from another VPS) via counter increments. This requires CAP_NET_ADMIN. Signed-off-by: Solar Designer Signed-off-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: GRE conntrack: fix htons/htonl confusion

2006-05-19T09:16:29Z

GRE keys are 16 bit. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: fix format specifier for netfilter log targets

2006-05-19T09:15:47Z

The prefix argument for nf_log_packet is a format specifier, so don't pass the user defined string directly to it. Signed-off-by: Philip Craig Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller