Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3322875rwa; Tue, 23 Aug 2022 02:49:54 -0700 (PDT) X-Google-Smtp-Source: AA6agR4yswEKfNRKU1E36vucAQjwehzZKPqRVi3hpCbhfrassWa0brsGd0nYP8siSOGycGMWhoOI X-Received: by 2002:a17:907:6e93:b0:73d:8783:c306 with SMTP id sh19-20020a1709076e9300b0073d8783c306mr5006326ejc.387.1661248193687; Tue, 23 Aug 2022 02:49:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661248193; cv=none; d=google.com; s=arc-20160816; b=GGLEVMPTyFRsmAuxhLsYnj4dvwLirzwBO4VyXVGLpgHnr/Zr9tOzcJYQVgJX2LIdaS aRUlWOJYLo3q/7+5temDHPfnJhfwKOhwjYTCK4hUjkPJXqWLq7Uz7XVmpA83aV96O0MP nDndBXQ6ycmbGcdoomBlQmLEOXrh+yYVJCQ6x9C5H9089S0ftwUiyVaHFsqrpwJUWX2I P6PwObklQ6KesNJbFFbh6tIjYxkSXe1oE1wnJtorCb5szyq9lbedTSLZ4QtO3VCSq8bz 9iFz6SehE5UpXpSFbQ2UJf1/FL9hBV6gXf5fODOBahCMYoLV1CKfjcr5aT8x8BtgdcJg wVMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8S6IdZ4IsP3xg806o3GVMIcdMwM484Nvpv0kAVQ5E08=; b=bAGAIYureusOGaOGLE2vKPDIplkNVVL0E+YDgR35IrIzW82vwEBGRRgALur5Xutzf6 AyCwPSlj3GYwBtbi3Y9t0FWTWPQtX5ywlxYHGB86j0bjWbZZ9kzjVOVWI9/GVR32xsR9 NQyDXUwUHk6+Pv5A6O10BhhwXLpp8kPcwKIsjI/NWetKem5dAzeYPZuSYGATR2T9cAl9 Qs23OeyCZSmAm4y9KJKVv+yAViR6RvUMlKHlo4uVOoQ5QYj3Yas2JNSY8JjPP2ladchj 2yDkLwNErcOjDkeBluMstpUjFSe4Jg2CM2lx5iv6RVZGt5BGWw062/5kTSsPrEIRgZnV 7FZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ifXsTVpB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m14-20020a50998e000000b00445f2dfacaasi1496452edb.614.2022.08.23.02.49.27; Tue, 23 Aug 2022 02:49:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ifXsTVpB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347408AbiHWIoz (ORCPT + 99 others); Tue, 23 Aug 2022 04:44:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345004AbiHWImN (ORCPT ); Tue, 23 Aug 2022 04:42:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09D0161722; Tue, 23 Aug 2022 01:20:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5C27C61212; Tue, 23 Aug 2022 08:19:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C3DCC433C1; Tue, 23 Aug 2022 08:19:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242776; bh=KUI2cN9pa6NkqKzcH5G8VxQkrWLwmBFwrdOxH167Smo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ifXsTVpBdqOD/x62nbeL59BfCRuDBOmCMDdJLXNzz7H4Y+sAA9rhTfPsdpnGDzusF GMr0glUW7Sh2N6lasBHL3dKmYtGHN6/UDlFVYBwZaD0/9+7gvvvayJIZNfYh6hC57N UoMPI+5HbPoTwTPhdqZc9LJDcshZQ8AA/D5AmhJQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 5.19 195/365] netfilter: nf_ct_irc: cap packet search space to 4k Date: Tue, 23 Aug 2022 10:01:36 +0200 Message-Id: <20220823080126.378613262@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080118.128342613@linuxfoundation.org> References: <20220823080118.128342613@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal commit 976bf59c69cd2e2c17f0ab20a14c0e700cba0f15 upstream. This uses a pseudo-linearization scheme with a 64k global buffer, but BIG TCP arrival means IPv6 TCP stack can generate skbs that exceed this size. In practice, IRC commands are not expected to exceed 512 bytes, plus this is interactive protocol, so we should not see large packets in practice. Given most IRC connections nowadays use TLS so this helper could also be removed in the near future. Fixes: 7c4e983c4f3c ("net: allow gso_max_size to exceed 65536") Fixes: 0fe79f28bfaf ("net: allow gro_max_size to exceed 65536") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_irc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 08ee4e760a3d..1796c456ac98 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -39,6 +39,7 @@ unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb, EXPORT_SYMBOL_GPL(nf_nat_irc_hook); #define HELPER_NAME "irc" +#define MAX_SEARCH_SIZE 4095 MODULE_AUTHOR("Harald Welte "); MODULE_DESCRIPTION("IRC (DCC) connection tracking helper"); @@ -121,6 +122,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, int i, ret = NF_ACCEPT; char *addr_beg_p, *addr_end_p; typeof(nf_nat_irc_hook) nf_nat_irc; + unsigned int datalen; /* If packet is coming from IRC server */ if (dir == IP_CT_DIR_REPLY) @@ -140,8 +142,12 @@ static int help(struct sk_buff *skb, unsigned int protoff, if (dataoff >= skb->len) return NF_ACCEPT; + datalen = skb->len - dataoff; + if (datalen > MAX_SEARCH_SIZE) + datalen = MAX_SEARCH_SIZE; + spin_lock_bh(&irc_buffer_lock); - ib_ptr = skb_header_pointer(skb, dataoff, skb->len - dataoff, + ib_ptr = skb_header_pointer(skb, dataoff, datalen, irc_buffer); if (!ib_ptr) { spin_unlock_bh(&irc_buffer_lock); @@ -149,7 +155,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, } data = ib_ptr; - data_limit = ib_ptr + skb->len - dataoff; + data_limit = ib_ptr + datalen; /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ @@ -251,7 +257,7 @@ static int __init nf_conntrack_irc_init(void) irc_exp_policy.max_expected = max_dcc_channels; irc_exp_policy.timeout = dcc_timeout; - irc_buffer = kmalloc(65536, GFP_KERNEL); + irc_buffer = kmalloc(MAX_SEARCH_SIZE + 1, GFP_KERNEL); if (!irc_buffer) return -ENOMEM; -- 2.37.2