[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets

Fri, 11 May 2007 11:01:55 -0700 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=802169a4b0f71d25a0f798a9c0657a565b1e79bc
Commit:     802169a4b0f71d25a0f798a9c0657a565b1e79bc
Parent:     4a176c1a61ed279f4d98b6adf9be84fb905d921c
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Thu May 10 14:17:36 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Thu May 10 23:47:59 2007 -0700

    [NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets
    
    iptables matches and targets expect packets to have at least a full
    IP header and a valid header length. Ignore packets sent through
    raw sockets for which this isn't true as in the other tables.
    
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/ipv4/netfilter/iptable_raw.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index f7d28fd..d6e5033 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -5,6 +5,7 @@
  */
 #include <linux/module.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/ip.h>
 
 #define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
 
@@ -54,6 +55,24 @@ ipt_hook(unsigned int hook,
        return ipt_do_table(pskb, hook, in, out, &packet_raw);
 }
 
+static unsigned int
+ipt_local_hook(unsigned int hook,
+              struct sk_buff **pskb,
+              const struct net_device *in,
+              const struct net_device *out,
+              int (*okfn)(struct sk_buff *))
+{
+       /* root is playing with raw sockets. */
+       if ((*pskb)->len < sizeof(struct iphdr) ||
+           ip_hdrlen(*pskb) < sizeof(struct iphdr)) {
+               if (net_ratelimit())
+                       printk("iptable_raw: ignoring short SOCK_RAW"
+                              "packet.\n");
+               return NF_ACCEPT;
+       }
+       return ipt_do_table(pskb, hook, in, out, &packet_raw);
+}
+
 /* 'raw' is the very first table. */
 static struct nf_hook_ops ipt_ops[] = {
        {
@@ -64,7 +83,7 @@ static struct nf_hook_ops ipt_ops[] = {
                .owner = THIS_MODULE,
        },
        {
-               .hook = ipt_hook,
+               .hook = ipt_local_hook,
                .pf = PF_INET,
                .hooknum = NF_IP_LOCAL_OUT,
                .priority = NF_IP_PRI_RAW,
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to