Re: [netfilter-core] [PATCH 2.6.10 1/1] netfilter: fix crash on nat+icmppackets
From: Patrick McHardy
Date: Wed Mar 02 2005 - 04:32:37 EST
mukesh agrawal wrote:
The cause of the crash is that udp_manip_pkt reads *pskb into iph before
calling skb_ip_make_writable, and fails to update iph after the call.
Since skb_ip_make_writable may delete the original skb when it makes a
copy, a page fault may occur when udp_manip_pkt later dereferences iph.
This bug has already been fixed in 2.6.11-rc.
Regards
Patrick
diff -uprN linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_proto_udp.c
linux-2.6.10.fixed/net/ipv4/netfilter/ip_nat_proto_udp.c
--- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_proto_udp.c
2004-12-24 16:34:01.000000000 -0500
+++ linux-2.6.10.fixed/net/ipv4/netfilter/ip_nat_proto_udp.c
2005-03-01 19:32:21.000000000 -0500
@@ -95,6 +95,9 @@ udp_manip_pkt(struct sk_buff **pskb,
if (!skb_ip_make_writable(pskb, hdroff + sizeof(hdr)))
return 0;
+ /* skb_ip_make_writable may have copied the skb, and deleted
+ the original */
+ iph = (struct iphdr *)((*pskb)->data + iphdroff);
hdr = (void *)(*pskb)->data + hdroff;
if (maniptype == IP_NAT_MANIP_SRC) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/