Hi,
AH, ESP: - added length check in the iteration phase - added length check in the interpreter frag: - added length check in the iteration phase Regards, kisza -- Andras Kis-Szabo Security Development, Design and Audit -------------------------/ Zorp, NetFilter and IPv6 [EMAIL PROTECTED] /---------------------------------------------->
--- netfilter/userspace/patch-o-matic/base/ahesp6.patch.ipv6 Tue Mar 26 13:38:30 2002 +++ netfilter.new/userspace/patch-o-matic/base/ahesp6.patch.ipv6 Sun Apr 21 +23:50:17 2002 @@ -1,7 +1,7 @@ -diff -urN linux/net/ipv6/netfilter/ip6t_ah.c linux.dev/net/ipv6/netfilter/ip6t_ah.c ---- linux/net/ipv6/netfilter/ip6t_ah.c Thu Jan 1 01:00:00 1970 -+++ linux.dev/net/ipv6/netfilter/ip6t_ah.c Thu Mar 21 21:58:56 2002 -@@ -0,0 +1,209 @@ +diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_ah.c +linux-2.4.18/net/ipv6/netfilter/ip6t_ah.c +--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_ah.c Thu Jan 1 01:00:00 1970 ++++ linux-2.4.18/net/ipv6/netfilter/ip6t_ah.c Sun Apr 21 23:33:24 2002 +@@ -0,0 +1,218 @@ +/* Kernel module to match AH parameters. */ +#include <linux/module.h> +#include <linux/skbuff.h> @@ -135,11 +135,20 @@ + nexthdr = hdr->nexthdr; + len -= hdrlen; + ptr += hdrlen; ++ if ( ptr > skb->len ) { ++ DEBUGP("ipv6_ah: new pointer too large! \n"); ++ break; ++ } + } + + /* AH header not found */ + if ( temp != MASK_AH ) return 0; + ++ if (len < (int)sizeof(struct ahhdr)){ ++ *hotdrop = 1; ++ return 0; ++ } ++ + ah=skb->data+ptr; + + DEBUGP("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen); @@ -211,10 +220,10 @@ + +module_init(init); +module_exit(cleanup); -diff -urN linux/net/ipv6/netfilter/ip6t_esp.c linux.dev/net/ipv6/netfilter/ip6t_esp.c ---- linux/net/ipv6/netfilter/ip6t_esp.c Thu Jan 1 01:00:00 1970 -+++ linux.dev/net/ipv6/netfilter/ip6t_esp.c Thu Mar 21 21:59:11 2002 -@@ -0,0 +1,177 @@ +diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_esp.c +linux-2.4.18/net/ipv6/netfilter/ip6t_esp.c +--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_esp.c Thu Jan 1 01:00:00 1970 ++++ linux-2.4.18/net/ipv6/netfilter/ip6t_esp.c Sun Apr 21 23:33:45 2002 +@@ -0,0 +1,186 @@ +/* Kernel module to match ESP parameters. */ +#include <linux/module.h> +#include <linux/skbuff.h> @@ -338,10 +347,19 @@ + nexthdr = hdr->nexthdr; + len -= hdrlen; + ptr += hdrlen; ++ if ( ptr > skb->len ) { ++ DEBUGP("ipv6_esp: new pointer too large! \n"); ++ break; ++ } + } + + /* ESP header not found */ + if ( temp != MASK_ESP ) return 0; ++ ++ if (len < (int)sizeof(struct esphdr)){ ++ *hotdrop = 1; ++ return 0; ++ } + + esp=skb->data+ptr; +
--- netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6 Tue Mar 26 13:45:19 2002 +++ netfilter.new/userspace/patch-o-matic/base/frag6.patch.ipv6 Sun Apr 21 23:46:31 +2002 @@ -1,7 +1,7 @@ -diff -urN linux/net/ipv6/netfilter/ip6t_frag.c linux.dev/net/ipv6/netfilter/ip6t_frag.c ---- linux/net/ipv6/netfilter/ip6t_frag.c Thu Jan 1 01:00:00 1970 -+++ linux.dev/net/ipv6/netfilter/ip6t_frag.c Thu Mar 21 21:58:56 2002 -@@ -0,0 +1,244 @@ +diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_frag.c +linux-2.4.18/net/ipv6/netfilter/ip6t_frag.c +--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_frag.c Thu Jan 1 01:00:00 +1970 ++++ linux-2.4.18/net/ipv6/netfilter/ip6t_frag.c Sun Apr 21 23:34:08 2002 +@@ -0,0 +1,250 @@ +/* Kernel module to match FRAG parameters. */ +#include <linux/module.h> +#include <linux/skbuff.h> @@ -10,6 +10,8 @@ +#include <net/checksum.h> +#include <net/ipv6.h> + ++#include <asm/byteorder.h> ++ +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter_ipv6/ip6t_frag.h> + @@ -147,6 +149,10 @@ + nexthdr = hdr->nexthdr; + len -= hdrlen; + ptr += hdrlen; ++ if ( ptr > skb->len ) { ++ DEBUGP("ipv6_frag: new pointer too large! \n"); ++ break; ++ } + } + + /* FRAG header not found */