2003-08-02 13:22:51

by Harald Welte

[permalink] [raw]
Subject: [PATCH 2.4] iptables AH/ESP fix (1/1)

Hi Davem!

The below patch (again by Patrick McHardy) is the 2.4 merge of the last
3 2.6 patches I've sent you. Obviously we cannot use the kernel's
ah/esp structures, since there are none.

Please apply, thanks.

diff -Nru a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
--- a/net/ipv4/netfilter/ipt_LOG.c Mon Jul 21 02:21:23 2003
+++ b/net/ipv4/netfilter/ipt_LOG.c Mon Jul 21 02:21:23 2003
@@ -3,15 +3,14 @@
*/
#include <linux/module.h>
#include <linux/skbuff.h>
-#include <linux/ip.h>
#include <linux/spinlock.h>
+#include <linux/ip.h>
#include <net/icmp.h>
#include <net/udp.h>
#include <net/tcp.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-struct in_device;
#include <net/route.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>

#if 0
@@ -20,10 +19,20 @@
#define DEBUGP(format, args...)
#endif

+/* FIXME: move to ip.h like in 2.5 */
+struct ahhdr {
+ __u8 nexthdr;
+ __u8 hdrlen;
+ __u16 reserved;
+ __u32 spi;
+ __u32 seq_no;
+};
+
struct esphdr {
__u32 spi;
-}; /* FIXME evil kludge */
-
+ __u32 seq_no;
+};
+
/* Use lock to serialize, so printks don't overlap */
static spinlock_t log_lock = SPIN_LOCK_UNLOCKED;

@@ -58,7 +67,8 @@
printk("FRAG:%u ", ntohs(iph->frag_off) & IP_OFFSET);

if ((info->logflags & IPT_LOG_IPOPT)
- && iph->ihl * 4 != sizeof(struct iphdr)) {
+ && iph->ihl * 4 != sizeof(struct iphdr)
+ && iph->ihl * 4 >= datalen) {
unsigned int i;

/* Max length: 127 "OPT (" 15*4*2chars ") " */
@@ -231,13 +241,30 @@
break;
}
/* Max Length */
- case IPPROTO_AH:
+ case IPPROTO_AH: {
+ struct ahhdr *ah = protoh;
+
+ /* Max length: 9 "PROTO=AH " */
+ printk("PROTO=AH ");
+
+ if (ntohs(iph->frag_off) & IP_OFFSET)
+ break;
+
+ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
+ if (datalen < sizeof (*ah)) {
+ printk("INCOMPLETE [%u bytes] ", datalen);
+ break;
+ }
+
+ /* Length: 15 "SPI=0xF1234567 " */
+ printk("SPI=0x%x ", ntohl(ah->spi) );
+ break;
+ }
case IPPROTO_ESP: {
struct esphdr *esph = protoh;
- int esp= (iph->protocol==IPPROTO_ESP);

/* Max length: 10 "PROTO=ESP " */
- printk("PROTO=%s ",esp? "ESP" : "AH");
+ printk("PROTO=ESP ");

if (ntohs(iph->frag_off) & IP_OFFSET)
break;
diff -Nru a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
--- a/net/ipv4/netfilter/ipt_ah.c Mon Jul 21 02:20:52 2003
+++ b/net/ipv4/netfilter/ipt_ah.c Mon Jul 21 02:20:52 2003
@@ -15,7 +15,11 @@
#endif

struct ahhdr {
+ __u8 nexthdr;
+ __u8 hdrlen;
+ __u16 reserved;
__u32 spi;
+ __u32 seq_no;
};

/* Returns 1 if the spi is matched by the range, 0 otherwise */
diff -Nru a/net/ipv4/netfilter/ipt_esp.c b/net/ipv4/netfilter/ipt_esp.c
--- a/net/ipv4/netfilter/ipt_esp.c Mon Jul 21 02:22:20 2003
+++ b/net/ipv4/netfilter/ipt_esp.c Mon Jul 21 02:22:20 2003
@@ -16,6 +16,7 @@

struct esphdr {
__u32 spi;
+ __u32 seq_no;
};

/* Returns 1 if the spi is matched by the range, 0 otherwise */
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie


Attachments:
(No filename) (3.30 kB)
(No filename) (189.00 B)
Download all attachments