Re: [PATCH 1/1] netfilter: h323: avoid potential attack

From: kbuild test robot
Date: Wed Jan 27 2016 - 10:08:33 EST

Hi Zhouyi,

[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.5-rc1 next-20160127]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]

url: https://github.com/0day-ci/linux/commits/Zhouyi-Zhou/netfilter-h323-avoid-potential-attack/20160127-225253
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master
config: x86_64-randconfig-x016-01270835 (attached as .config)
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64

All error/warnings (new ones prefixed by >>):

net/netfilter/nf_conntrack_h323_main.c: In function 'get_h245_addr':
>> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *')
if (((p - h323_buffer) + n) > 65536) \
^
>> net/netfilter/nf_conntrack_h323_main.c:254:2: note: in expansion of macro 'CHECK_BOUND'
CHECK_BOUND(p, len);
^
net/netfilter/nf_conntrack_h323_main.c: In function 'get_h225_addr':
>> net/netfilter/nf_conntrack_h323_main.c:114:11: error: invalid operands to binary - (have 'const unsigned char *' and 'char *')
if (((p - h323_buffer) + n) > 65536) \
^
net/netfilter/nf_conntrack_h323_main.c:678:2: note: in expansion of macro 'CHECK_BOUND'
CHECK_BOUND(p, len);
^

vim +114 net/netfilter/nf_conntrack_h323_main.c

108 __be16 port, struct nf_conntrack_expect *exp)
109 __read_mostly;
110
111 static DEFINE_SPINLOCK(nf_h323_lock);
112 static char *h323_buffer;
113 #define CHECK_BOUND(p, n) do { \
> 114 if (((p - h323_buffer) + n) > 65536) \
115 return 0; \
116 } while (0)
117
118 static struct nf_conntrack_helper nf_conntrack_helper_h245;
119 static struct nf_conntrack_helper nf_conntrack_helper_q931[];
120 static struct nf_conntrack_helper nf_conntrack_helper_ras[];
121
122 /****************************************************************************/
123 static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
124 struct nf_conn *ct, enum ip_conntrack_info ctinfo,
125 unsigned char **data, int *datalen, int *dataoff)
126 {
127 struct nf_ct_h323_master *info = nfct_help_data(ct);
128 int dir = CTINFO2DIR(ctinfo);
129 const struct tcphdr *th;
130 struct tcphdr _tcph;
131 int tcpdatalen;
132 int tcpdataoff;
133 unsigned char *tpkt;
134 int tpktlen;
135 int tpktoff;
136
137 /* Get TCP header */
138 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
139 if (th == NULL)
140 return 0;
141
142 /* Get TCP data offset */
143 tcpdataoff = protoff + th->doff * 4;
144
145 /* Get TCP data length */
146 tcpdatalen = skb->len - tcpdataoff;
147 if (tcpdatalen <= 0) /* No TCP data */
148 goto clear_out;
149
150 if (*data == NULL) { /* first TPKT */
151 /* Get first TPKT pointer */
152 tpkt = skb_header_pointer(skb, tcpdataoff, tcpdatalen,
153 h323_buffer);
154 BUG_ON(tpkt == NULL);
155
156 /* Validate TPKT identifier */
157 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
158 /* Netmeeting sends TPKT header and data separately */
159 if (info->tpkt_len[dir] > 0) {
160 pr_debug("nf_ct_h323: previous packet "
161 "indicated separate TPKT data of %hu "
162 "bytes\n", info->tpkt_len[dir]);
163 if (info->tpkt_len[dir] <= tcpdatalen) {
164 /* Yes, there was a TPKT header
165 * received */
166 *data = tpkt;
167 *datalen = info->tpkt_len[dir];
168 *dataoff = 0;
169 goto out;
170 }
171
172 /* Fragmented TPKT */
173 pr_debug("nf_ct_h323: fragmented TPKT\n");
174 goto clear_out;
175 }
176
177 /* It is not even a TPKT */
178 return 0;
179 }
180 tpktoff = 0;
181 } else { /* Next TPKT */
182 tpktoff = *dataoff + *datalen;
183 tcpdatalen -= tpktoff;
184 if (tcpdatalen <= 4) /* No more TPKT */
185 goto clear_out;
186 tpkt = *data + *datalen;
187
188 /* Validate TPKT identifier */
189 if (tpkt[0] != 0x03 || tpkt[1] != 0)
190 goto clear_out;
191 }
192
193 /* Validate TPKT length */
194 tpktlen = tpkt[2] * 256 + tpkt[3];
195 if (tpktlen < 4)
196 goto clear_out;
197 if (tpktlen > tcpdatalen) {
198 if (tcpdatalen == 4) { /* Separate TPKT header */
199 /* Netmeeting sends TPKT header and data separately */
200 pr_debug("nf_ct_h323: separate TPKT header indicates "
201 "there will be TPKT data of %hu bytes\n",
202 tpktlen - 4);
203 info->tpkt_len[dir] = tpktlen - 4;
204 return 0;
205 }
206
207 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
208 goto clear_out;
209 }
210
211 /* This is the encapsulated data */
212 *data = tpkt + 4;
213 *datalen = tpktlen - 4;
214 *dataoff = tpktoff + 4;
215
216 out:
217 /* Clear TPKT length */
218 info->tpkt_len[dir] = 0;
219 return 1;
220
221 clear_out:
222 info->tpkt_len[dir] = 0;
223 return 0;
224 }
225
226 /****************************************************************************/
227 static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
228 H245_TransportAddress *taddr,
229 union nf_inet_addr *addr, __be16 *port)
230 {
231 const unsigned char *p;
232 int len;
233
234 if (taddr->choice != eH245_TransportAddress_unicastAddress)
235 return 0;
236
237 switch (taddr->unicastAddress.choice) {
238 case eUnicastAddress_iPAddress:
239 if (nf_ct_l3num(ct) != AF_INET)
240 return 0;
241 p = data + taddr->unicastAddress.iPAddress.network;
242 len = 4;
243 break;
244 case eUnicastAddress_iP6Address:
245 if (nf_ct_l3num(ct) != AF_INET6)
246 return 0;
247 p = data + taddr->unicastAddress.iP6Address.network;
248 len = 16;
249 break;
250 default:
251 return 0;
252 }
253
> 254 CHECK_BOUND(p, len);
255
256 memcpy(addr, p, len);
257 memset((void *)addr + len, 0, sizeof(*addr) - len);

---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation

Attachment: .config.gz
Description: Binary data