- patch from https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=40

  fixes crash if PPTP packets are received out of order
- PPTP headers are variable length. Specifically, PPTP ACKs without
  sequence numbers are 4 bytes shorter and will not be properly
  tracked. Pass the minimum length required to skb_header_pointer() when
  trying to parse a generic PPTP header out of a packet.
- Fix a call to DUMP_TUPLE_GRE()

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_gre.c b/net/ipv4/netfilter/ip_conntrack_proto_gre.c
index edccfe8..013f759 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_proto_gre.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_gre.c
@@ -130,6 +130,13 @@ int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
 void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
                             struct ip_conntrack_tuple *t)
 {
+        if (!km)
+        {
+                printk(KERN_WARNING
+                        "NULL GRE conntrack keymap change requested\n");
+                return;
+        }
+
        DEBUGP("changing entry %p to: ", km);
        DUMP_TUPLE_GRE(t);
 
@@ -181,7 +188,8 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb,
        u_int32_t srckey;
 
        grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr);
-       pgrehdr = skb_header_pointer(skb, dataoff, sizeof(_pgrehdr), &_pgrehdr);
+       /* PPTP header is variable length, only need up to the call_id field */
+       pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr);
 
        if (!grehdr || !pgrehdr)
                return 0;
@@ -211,11 +219,11 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb,
 
        srckey = gre_keymap_lookup(tuple);
 
+       tuple->src.u.gre.key = srckey;
 #if 0
        DEBUGP("found src key %x for tuple ", ntohl(srckey));
        DUMP_TUPLE_GRE(tuple);
 #endif
-       tuple->src.u.gre.key = srckey;
 
        return 1;
 }