From 55b1c38aca5552f3a2140d2cb5406ec1afe67f20 Mon Sep 17 00:00:00 2001
From: Samuel Gauthier <samuel.gauthier@6wind.com>
Date: Thu, 3 Sep 2009 15:05:14 +0200
Subject: conntrackd: better parse_payload protection against corrupted packets

As we get attr->nta_attr directly from net message, it can be corrupted.
Hence, we must check that nta_attr value is valid before trying to reach
h[attr->nta_attr] element.

Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parse.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/parse.c')

diff --git a/src/parse.c b/src/parse.c
index 1bdfcc7..b5f257c 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -208,6 +208,8 @@ int parse_payload(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
 		ATTR_NETWORK2HOST(attr);
 		if (attr->nta_len > len)
 			return -1;
+		if (attr->nta_attr > NTA_MAX)
+			return -1;
 		if (attr->nta_len != h[attr->nta_attr].size)
 			return -1;
 		if (h[attr->nta_attr].parse == NULL) {
-- 
cgit v1.2.3