diff mbox series

[net,1/4] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers

Message ID 20220908095757.1755-2-fw@strlen.de (mailing list archive)
State Accepted
Commit 39aebedeaaa95757f5c1f2ddb5f43fdddbf478ca
Delegated to: Netdev Maintainers
Headers show
Series [net,1/4] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Pull request is its own cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 1 blamed authors not CCed: kaber@trash.net; 4 maintainers not CCed: pablo@netfilter.org kaber@trash.net coreteam@netfilter.org kadlec@netfilter.org
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Florian Westphal Sept. 8, 2022, 9:57 a.m. UTC 
From: Igor Ryzhov <iryzhov@nfware.com>

ct_sip_next_header and ct_sip_get_header return an absolute
value of matchoff, not a shift from current dataoff.
So dataoff should be assigned matchoff, not incremented by it.

This issue can be seen in the scenario when there are multiple
Contact headers and the first one is using a hostname and other headers
use IP addresses. In this case, ct_sip_walk_headers will work as follows:

The first ct_sip_get_header call to will find the first Contact header
but will return -1 as the header uses a hostname. But matchoff will
be changed to the offset of this header. After that, dataoff should be
set to matchoff, so that the next ct_sip_get_header call find the next
Contact header. But instead of assigning dataoff to matchoff, it is
incremented by it, which is not correct, as matchoff is an absolute
value of the offset. So on the next call to the ct_sip_get_header,
dataoff will be incorrect, and the next Contact header may not be
found at all.

Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper")
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_sip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Sept. 9, 2022, 10 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (master)
by Florian Westphal <fw@strlen.de>:

On Thu,  8 Sep 2022 11:57:54 +0200 you wrote:
> From: Igor Ryzhov <iryzhov@nfware.com>
> 
> ct_sip_next_header and ct_sip_get_header return an absolute
> value of matchoff, not a shift from current dataoff.
> So dataoff should be assigned matchoff, not incremented by it.
> 
> This issue can be seen in the scenario when there are multiple
> Contact headers and the first one is using a hostname and other headers
> use IP addresses. In this case, ct_sip_walk_headers will work as follows:
> 
> [...]

Here is the summary with links:
  - [net,1/4] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers
    https://git.kernel.org/netdev/net/c/39aebedeaaa9
  - [net,2/4] selftests: nft_concat_range: add socat support
    https://git.kernel.org/netdev/net/c/25b327d4f818
  - [net,3/4] netfilter: nf_conntrack_irc: Tighten matching on DCC message
    https://git.kernel.org/netdev/net/c/e8d5dfd1d874
  - [net,4/4] netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
    https://git.kernel.org/netdev/net/c/559c36c5a8d7

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index daf06f71d31c..77f5e82d8e3f 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -477,7 +477,7 @@  static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 				return ret;
 			if (ret == 0)
 				break;
-			dataoff += *matchoff;
+			dataoff = *matchoff;
 		}
 		*in_header = 0;
 	}
@@ -489,7 +489,7 @@  static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 			break;
 		if (ret == 0)
 			return ret;
-		dataoff += *matchoff;
+		dataoff = *matchoff;
 	}
 
 	if (in_header)