Hi,

AH, ESP:
        - added length check in the iteration phase
        - added length check in the interpreter
frag:
        - added length check in the iteration phase

Regards,

        kisza

-- 
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/       Zorp, NetFilter and IPv6
 [EMAIL PROTECTED] /---------------------------------------------->
--- netfilter/userspace/patch-o-matic/base/ahesp6.patch.ipv6    Tue Mar 26 13:38:30 
2002
+++ netfilter.new/userspace/patch-o-matic/base/ahesp6.patch.ipv6        Sun Apr 21 
+23:50:17 2002
@@ -1,7 +1,7 @@
-diff -urN linux/net/ipv6/netfilter/ip6t_ah.c linux.dev/net/ipv6/netfilter/ip6t_ah.c
---- linux/net/ipv6/netfilter/ip6t_ah.c Thu Jan  1 01:00:00 1970
-+++ linux.dev/net/ipv6/netfilter/ip6t_ah.c     Thu Mar 21 21:58:56 2002
-@@ -0,0 +1,209 @@
+diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_ah.c 
+linux-2.4.18/net/ipv6/netfilter/ip6t_ah.c
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_ah.c  Thu Jan  1 01:00:00 1970
++++ linux-2.4.18/net/ipv6/netfilter/ip6t_ah.c  Sun Apr 21 23:33:24 2002
+@@ -0,0 +1,218 @@
 +/* Kernel module to match AH parameters. */
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
@@ -135,11 +135,20 @@
 +                nexthdr = hdr->nexthdr;
 +                len -= hdrlen;
 +                ptr += hdrlen;
++              if ( ptr > skb->len ) {
++                      DEBUGP("ipv6_ah: new pointer too large! \n");
++                      break;
++              }
 +        }
 +
 +       /* AH header not found */
 +       if ( temp != MASK_AH ) return 0;
 +
++       if (len < (int)sizeof(struct ahhdr)){
++             *hotdrop = 1;
++                      return 0;
++       }
++
 +       ah=skb->data+ptr;
 +
 +       DEBUGP("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen);
@@ -211,10 +220,10 @@
 +
 +module_init(init);
 +module_exit(cleanup);
-diff -urN linux/net/ipv6/netfilter/ip6t_esp.c linux.dev/net/ipv6/netfilter/ip6t_esp.c
---- linux/net/ipv6/netfilter/ip6t_esp.c        Thu Jan  1 01:00:00 1970
-+++ linux.dev/net/ipv6/netfilter/ip6t_esp.c    Thu Mar 21 21:59:11 2002
-@@ -0,0 +1,177 @@
+diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_esp.c 
+linux-2.4.18/net/ipv6/netfilter/ip6t_esp.c
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_esp.c Thu Jan  1 01:00:00 1970
++++ linux-2.4.18/net/ipv6/netfilter/ip6t_esp.c Sun Apr 21 23:33:45 2002
+@@ -0,0 +1,186 @@
 +/* Kernel module to match ESP parameters. */
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
@@ -338,10 +347,19 @@
 +                nexthdr = hdr->nexthdr;
 +                len -= hdrlen;
 +                ptr += hdrlen;
++              if ( ptr > skb->len ) {
++                      DEBUGP("ipv6_esp: new pointer too large! \n");
++                      break;
++              }
 +        }
 +
 +      /* ESP header not found */
 +      if ( temp != MASK_ESP ) return 0;
++
++       if (len < (int)sizeof(struct esphdr)){
++             *hotdrop = 1;
++                      return 0;
++       }
 +
 +      esp=skb->data+ptr;
 +
--- netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6     Tue Mar 26 13:45:19 
2002
+++ netfilter.new/userspace/patch-o-matic/base/frag6.patch.ipv6 Sun Apr 21 23:46:31 
+2002
@@ -1,7 +1,7 @@
-diff -urN linux/net/ipv6/netfilter/ip6t_frag.c 
linux.dev/net/ipv6/netfilter/ip6t_frag.c
---- linux/net/ipv6/netfilter/ip6t_frag.c       Thu Jan  1 01:00:00 1970
-+++ linux.dev/net/ipv6/netfilter/ip6t_frag.c   Thu Mar 21 21:58:56 2002
-@@ -0,0 +1,244 @@
+diff -urNb linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_frag.c 
+linux-2.4.18/net/ipv6/netfilter/ip6t_frag.c
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_frag.c        Thu Jan  1 01:00:00 
+1970
++++ linux-2.4.18/net/ipv6/netfilter/ip6t_frag.c        Sun Apr 21 23:34:08 2002
+@@ -0,0 +1,250 @@
 +/* Kernel module to match FRAG parameters. */
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
@@ -10,6 +10,8 @@
 +#include <net/checksum.h>
 +#include <net/ipv6.h>
 +
++#include <asm/byteorder.h>
++
 +#include <linux/netfilter_ipv6/ip6_tables.h>
 +#include <linux/netfilter_ipv6/ip6t_frag.h>
 +
@@ -147,6 +149,10 @@
 +                nexthdr = hdr->nexthdr;
 +                len -= hdrlen;
 +                ptr += hdrlen;
++              if ( ptr > skb->len ) {
++                      DEBUGP("ipv6_frag: new pointer too large! \n");
++                      break;
++              }
 +        }
 +
 +       /* FRAG header not found */

Reply via email to