-stable review patch. If anyone has any objections, please let us know.
------------------
[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/netfilter/ip_nat_proto_tcp.c | 3 ++-
net/ipv4/netfilter/ip_nat_proto_udp.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:15.000000000 -0700
@@ -40,7 +40,8 @@
enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack)
{
- static u_int16_t port, *portptr;
+ static u_int16_t port;
+ u_int16_t *portptr;
unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:15.000000000 -0700
@@ -41,7 +41,8 @@
enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack)
{
- static u_int16_t port, *portptr;
+ static u_int16_t port;
+ u_int16_t *portptr;
unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
| |
 |