From: Mark Huang Date: Mon, 17 Jan 2005 20:07:16 +0000 (+0000) Subject: - patch from https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=40 X-Git-Tag: before-fedora-2_6_18-1_2239_FC5-vs2_0_2_2-rc6-merge~290 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=b3b9c77cbcde393d9e34f8a3c6b60775638ea621;p=linux-2.6.git - patch from https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=40 fixes crash if PPTP packets are received out of order - PPTP headers are variable length. Specifically, PPTP ACKs without sequence numbers are 4 bytes shorter and will not be properly tracked. Pass the minimum length required to skb_header_pointer() when trying to parse a generic PPTP header out of a packet. - Fix a call to DUMP_TUPLE_GRE() --- diff --git a/net/ipv4/netfilter/ip_conntrack_proto_gre.c b/net/ipv4/netfilter/ip_conntrack_proto_gre.c index edccfe843..013f759cc 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_gre.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_gre.c @@ -130,6 +130,13 @@ int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, struct ip_conntrack_tuple *t) { + if (!km) + { + printk(KERN_WARNING + "NULL GRE conntrack keymap change requested\n"); + return; + } + DEBUGP("changing entry %p to: ", km); DUMP_TUPLE_GRE(t); @@ -181,7 +188,8 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb, u_int32_t srckey; grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr); - pgrehdr = skb_header_pointer(skb, dataoff, sizeof(_pgrehdr), &_pgrehdr); + /* PPTP header is variable length, only need up to the call_id field */ + pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr); if (!grehdr || !pgrehdr) return 0; @@ -211,11 +219,11 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb, srckey = gre_keymap_lookup(tuple); + tuple->src.u.gre.key = srckey; #if 0 DEBUGP("found src key %x for tuple ", ntohl(srckey)); DUMP_TUPLE_GRE(tuple); #endif - tuple->src.u.gre.key = srckey; return 1; }