forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net/netfilter
History
Florian Westphal 752b388c92 netfilter: conntrack: disable generic tracking for known protocols 
commit db29a9508a upstream.

Given following iptables ruleset:

-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT

One would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.

This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).

All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.

Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.

 [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html

Joint work with Daniel Borkmann.

Fixes CVE-2014-8160.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-04-29 10:33:59 +02:00
..
ipset netfilter: ipset: small potential read beyond the end of buffer 2015-01-27 07:52:33 -08:00
ipvs ipvs: rerouting to local clients is not needed anymore 2015-03-26 15:01:01 +01:00
core.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
Kconfig Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
Makefile netfilter: x_tables: add xt_bpf match 2013-01-21 12:20:19 +01:00
nf_conntrack_acct.c netfilter: nf_ct_acct: move initialization out of pernet_operations 2013-01-23 12:55:29 +01:00
nf_conntrack_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-05-01 14:08:52 -07:00
nf_conntrack_ecache.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_expect.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2013-04-19 17:55:29 -04:00
nf_conntrack_extend.c netfilter: nf_ct_ext: support variable length extensions 2012-06-16 15:08:49 +02:00
nf_conntrack_ftp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: nf_conntrack: fix rt6i_gateway checks for H.323 helper 2013-11-04 04:31:05 -08:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_irc.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_labels.c netfilter: ctnetlink: send event when conntrack label was modified 2013-06-24 11:32:56 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: send event when conntrack label was modified 2013-06-24 11:32:56 +02:00
nf_conntrack_pptp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_dccp.c netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages 2014-04-03 12:01:05 -07:00
nf_conntrack_proto_generic.c netfilter: conntrack: disable generic tracking for known protocols 2015-04-29 10:33:59 +02:00
nf_conntrack_proto_gre.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_sctp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_tcp.c netfilter: nf_conntrack: avoid large timeout for mid-stream pickup 2014-10-05 14:54:15 -07:00
nf_conntrack_proto_udp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_udplite.c netfilter: nf_log: prepare net namespace support for loggers 2013-04-05 20:12:54 +02:00
nf_conntrack_sane.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_conntrack_sip.c netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet 2013-04-06 14:03:18 +02:00
nf_conntrack_snmp.c netfilter: nf_ct_snmp: add include file 2013-01-18 00:28:18 +01:00
nf_conntrack_standalone.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_tftp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_timeout.c netfilter: nf_ct_timeout: move initialization out of pernet_operations 2013-01-23 12:56:02 +01:00
nf_conntrack_timestamp.c netfilter: nf_ct_tstamp: move initialization out of pernet_operations 2013-01-23 12:55:39 +01:00
nf_internals.h netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_queue() 2012-09-03 13:52:54 +02:00
nf_log.c netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
nf_nat_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_core.c netfilter: nf_nat: fix oops on netns removal 2014-11-21 09:22:54 -08:00
nf_nat_ftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_nat_helper.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-15 15:28:53 -08:00
nf_nat_proto_common.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_dccp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_sctp.c sctp: Correct type and usage of sctp_end_cksum() 2013-04-29 20:09:08 +02:00
nf_nat_proto_tcp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udplite.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_unknown.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_sip.c netfilter: nf_nat_sip: fix mangling 2013-06-24 11:32:40 +02:00
nf_nat_tftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_queue.c netfilter: move skb_gso_segment into nfnetlink_queue module 2013-04-29 20:09:05 +02:00
nf_sockopt.c
nf_tproxy_core.c
nfnetlink.c net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
nfnetlink_acct.c netfilter: nfnetlink_acct: fix incomplete dumping of objects 2013-06-05 12:36:36 +02:00
nfnetlink_cthelper.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
nfnetlink_cttimeout.c netfilter: nfnetlink_cttimeout: fix incomplete dumping of objects 2013-06-05 12:36:37 +02:00
nfnetlink_log.c netfilter: nf_log: release skbuff on nlmsg put failure 2014-11-21 09:22:54 -08:00
nfnetlink_queue_core.c core, nfqueue, openvswitch: fix compilation warning 2015-04-19 10:10:50 +02:00
nfnetlink_queue_ct.c netfilter: nfnetlink_queue: fix sparse warning due to missing include 2012-06-23 02:13:38 +02:00
x_tables.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
xt_addrtype.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
xt_AUDIT.c netfilter: xt_AUDIT: only generate audit log when audit enabled 2013-03-04 14:45:25 +01:00
xt_bpf.c netfilter: x_tables: add xt_bpf match 2013-01-21 12:20:19 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c Merge branch 'nf-next' of git://1984.lsi.us.es/net-next 2011-12-25 02:21:45 -05:00
xt_connlabel.c netfilter: add connlabel conntrack extension 2013-01-18 00:28:15 +01:00
xt_connlimit.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
xt_connmark.c
xt_CONNSECMARK.c
xt_conntrack.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_cpu.c
xt_CT.c netfilter: xt_CT: add alias flag 2013-02-05 01:49:26 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c netfilter: xtables: collapse conditions in xt_ecn 2011-12-27 20:45:25 +01:00
xt_esp.c
xt_hashlimit.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
xt_helper.c
xt_HL.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_hl.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_HMARK.c ipv6: Move ipv6_find_hdr() out of Netfilter code. 2012-11-09 17:05:07 -08:00
xt_IDLETIMER.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
xt_iprange.c
xt_ipvs.c ipvs: API change to avoid rescan of IPv6 exthdr 2012-09-28 11:34:33 +09:00
xt_LED.c
xt_length.c
xt_limit.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_LOG.c netfilter: xt_LOG: fix mark logging for IPv6 packets 2013-05-29 12:29:18 +02:00
xt_mac.c netfilter: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:18 -04:00
xt_mark.c
xt_multiport.c
xt_nat.c netfilter: xt_nat: fix incorrect hooks for SNAT and DNAT targets 2012-10-15 13:39:12 +02:00
xt_NETMAP.c netfilter: combine ipt_NETMAP and ip6t_NETMAP 2012-09-21 12:11:08 +02:00
xt_nfacct.c netfilter: xtables: add nfacct match to support extended accounting 2011-12-25 02:43:17 +01:00
xt_NFLOG.c netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: coalesce IPv4 and IPv6 hashing 2013-04-02 01:26:10 +02:00
xt_osf.c netfilter: nf_log: prepare net namespace support for loggers 2013-04-05 20:12:54 +02:00
xt_owner.c userns: xt_owner: Add basic user namespace support. 2012-08-14 21:55:30 -07:00
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_rateest.c netfilter: xt_rateest: fix xt_rateest_mt_checkentry() 2011-07-29 16:24:46 +02:00
xt_RATEEST.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
xt_realm.c
xt_recent.c proc: Supply PDE attribute setting accessor functions 2013-05-01 17:29:18 -04:00
xt_REDIRECT.c netfilter: combine ipt_REDIRECT and ip6t_REDIRECT 2012-09-21 12:12:05 +02:00
xt_repldata.h
xt_sctp.c
xt_SECMARK.c
xt_set.c netfilter: ipset: set match: add support to match the counters 2013-04-29 20:09:03 +02:00
xt_socket.c netfilter: xt_socket: fix compilation warnings with gcc 4.7 2012-09-03 13:31:39 +02:00
xt_state.c
xt_statistic.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c netfilter: xt_TCPMSS: Fix missing fragmentation handling 2013-06-12 11:06:19 +02:00
xt_TCPOPTSTRIP.c netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() 2013-06-11 01:55:07 +02:00
xt_tcpudp.c
xt_TEE.c netfilter: xt_TEE: don't use destination address found in header 2012-10-17 11:00:31 +02:00
xt_time.c netfilter: xt_time: add support to ignore day transition 2012-09-24 14:29:01 +02:00
xt_TPROXY.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
xt_TRACE.c
xt_u32.c