summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-05-20 09:31:26 +0200
committerChris Wright <chrisw@sous-sol.org>2006-05-22 11:04:25 -0700
commit1db6b5a66e93ff125ab871d6b3f7363412cc87e8 (patch)
tree875714adeef432fbe99b975a79db88d41199c02c
parentd87319c3e4d908e157a462d0e3e7fbffbf25324d (diff)
downloadlinux-stable-1db6b5a66e93ff125ab871d6b3f7363412cc87e8.tar.gz
linux-stable-1db6b5a66e93ff125ab871d6b3f7363412cc87e8.tar.bz2
linux-stable-1db6b5a66e93ff125ab871d6b3f7363412cc87e8.zip
[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)
CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. Fix memory corruption caused by snmp_trap_decode: - When snmp_trap_decode fails before the id and address are allocated, the pointers contain random memory, but are freed by the caller (snmp_parse_mangle). - When snmp_trap_decode fails after allocating just the ID, it tries to free both address and ID, but the address pointer still contains random memory. The caller frees both ID and random memory again. - When snmp_trap_decode fails after allocating both, it frees both, and the callers frees both again. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. Found by multiple testcases of the trap-app and trap-enc groups of the PROTOS c06-snmpv1 testsuite. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
-rw-r--r--net/ipv4/netfilter/ip_nat_snmp_basic.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 4f95d477805c..df57e7a117db 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(struct asn1_ctx *ctx,
return 1;
+err_addr_free:
+ kfree((unsigned long *)trap->ip_address);
+
err_id_free:
kfree(trap->id);
-err_addr_free:
- kfree((unsigned long *)trap->ip_address);
-
return 0;
}
@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned char *msg,
struct snmp_v1_trap trap;
unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
- /* Discard trap allocations regardless */
- kfree(trap.id);
- kfree((unsigned long *)trap.ip_address);
-
- if (!ret)
+ if (ret) {
+ kfree(trap.id);
+ kfree((unsigned long *)trap.ip_address);
+ } else
return ret;
} else {