conntrackd: more robust sanity checking on synchronization messages

This patch fixes an infinite loop that can occur if a message of
zero length is received. Moreover, now we always stop the processing
if the message is malformed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 8 insertions, 3 deletions

diff --git a/src/sync-mode.c b/src/sync-mode.c
index 8cf7aa3..9e3ac39 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -132,6 +132,7 @@ static int channel_handler_routine(struct channel *m, int i)
 	remain = numbytes;
 	while (remain > 0) {
 		struct nethdr *net = (struct nethdr *) ptr;
+		int len;
 
 		if (remain < NETHDR_SIZ) {
 			STATE_SYNC(error).msg_rcv_malformed++;
@@ -139,7 +140,8 @@ static int channel_handler_routine(struct channel *m, int i)
 			break;
 		}
 
-		if (ntohs(net->len) > remain) {
+		len = ntohs(net->len);
+		if (len > remain || len <= 0) {
 			STATE_SYNC(error).msg_rcv_malformed++;
 			STATE_SYNC(error).msg_rcv_bad_size++;
 			break;
@@ -149,16 +151,19 @@ static int channel_handler_routine(struct channel *m, int i)
 			if (remain < NETHDR_ACK_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_truncated++;
+				break;
 			}
 
-			if (ntohs(net->len) < NETHDR_ACK_SIZ) {
+			if (len < NETHDR_ACK_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_bad_size++;
+				break;
 			}
 		} else {
-			if (ntohs(net->len) < NETHDR_SIZ) {
+			if (len < NETHDR_SIZ) {
 				STATE_SYNC(error).msg_rcv_malformed++;
 				STATE_SYNC(error).msg_rcv_bad_size++;
+				break;
 			}
 		}