Bug 523983

Summary: kernel: ipt_recent: sanity check hit count [rhel-4.9]
Product: Red Hat Enterprise Linux 4 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Cong Wang <amwang>
Status: CLOSED ERRATA QA Contact: Evan McNabb <emcnabb>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.9CC: dhoward, jolsa, jplans, jskrabal, jtluka, lwang, pbenas, rkhan, vgoyal
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 523982 Environment:
Last Closed: 2011-02-16 15:36:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 523982    
Bug Blocks: 529306    

Description Eugene Teo (Security Response) 2009-09-17 13:47:49 UTC 
+++ This bug was initially created as a clone of Bug #523982 +++

Description of problem:
If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules.

With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem.

nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 20 --name test --rsource -j DROP

While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 21 --name test --rsource -j DROP

With the patch the second rule-set will throw an EINVAL.

Reported-by: Sean Kennedy <skennedy>
Signed-off-by: Daniel Hokka Zakrisson <daniel>
Signed-off-by: Patrick McHardy <kaber>
Signed-off-by: David S. Miller <davem>

Upstream commit:
http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0
Comment 2 RHEL Program Management 2009-10-13 13:50:03 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Vivek Goyal 2009-10-30 18:05:24 UTC 
Committed in 89.14.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 11 errata-xmlrpc 2011-02-16 15:36:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html