Re: Re: [PATCH V2] netfilter: h323: avoid potential attack
From: Zhouyi Zhou
Date: Thu Jan 28 2016 - 10:15:14 EST
Thanks for your advices.
I will take your advice if I could have the opportunity
to write the final code.
As matter of factor, I trigger this bug when I tried to
migrate H323 code to other operating systems.
This could trigger a panic because get_h2x5_addr functions
is the first time we ever try to ask for potentially
out of range data because of H323 style decodings
(the value taddr->ipAddress.ip is decoded in the midway between
calling skb_header_pointer and calling get_h2x5_addr)
> -----Original Messages-----
> From: "Florian Westphal" <fw@xxxxxxxxx>
> Sent Time: Thursday, January 28, 2016
> To: "Zhouyi Zhou" <zhouzhouyi@xxxxxxxxx>
> Cc: eric.dumazet@xxxxxxxxx, pablo@xxxxxxxxxxxxx, kaber@xxxxxxxxx, kadlec@xxxxxxxxxxxxxxxxx, davem@xxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxx, "Zhouyi Zhou" <yizhouzhou@xxxxxxxxx>
> Subject: Re: [PATCH V2] netfilter: h323: avoid potential attack
>
> Zhouyi Zhou <zhouzhouyi@xxxxxxxxx> wrote:
> > Thanks Eric for your review and advice.
> >
> > I think hackers chould build a malicious h323 packet to overflow
> > the pointer p which will panic during the memcpy(addr, p, len)
> >
> > For example, he may fabricate a very large taddr->ipAddress.ip;
>
> Can you be more specific?
>
> h323_buffer is backend storage for skb_header_pointer, i.e.
> this will error out early when we ask for more data than is available in
> packet.
>
> I don't understand how this could overflow anything.
> Even assuming 64k packet we'd still have enough room in h323_buffer
> for an ipv6 address, no? (we skip the l3/l4 header when extracting
> packet payload).
>