Bug 523986

Summary: kernel: ipt_recent: sanity check hit count [mrg-1]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Luis Claudio R. Goncalves <lgoncalv>
Status: CLOSED ERRATA QA Contact: David Sommerseth <davids>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: bhu, lgoncalv, ovasik, williams
Target Milestone: 1.1.9   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 523982 Environment:
Last Closed: 2009-11-03 18:22:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 523982    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-09-17 13:51:59 UTC
+++ This bug was initially created as a clone of Bug #523982 +++

Description of problem:
If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules.

With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem.

nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 20 --name test --rsource -j DROP

While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 21 --name test --rsource -j DROP

With the patch the second rule-set will throw an EINVAL.

Reported-by: Sean Kennedy <skennedy>
Signed-off-by: Daniel Hokka Zakrisson <daniel>
Signed-off-by: Patrick McHardy <kaber>
Signed-off-by: David S. Miller <davem>

Upstream commit:
http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0

Comment 1 Luis Claudio R. Goncalves 2009-10-14 21:45:59 UTC
Patch bz523986-ipt_recent-sanity-check-hit-count.patch, backport of commit d0ebf133590abdc035af6e19a6568667af0ab3b0 from Linus' tree, was added to kernel's -135 queue.

Comment 2 David Sommerseth 2009-10-27 16:46:04 UTC
Verified by running reproducing routine.

On 2.6.24.7-132 the following iptables command was allowed:
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP

On 2.6.24.7-136 the same command failed:
(64bit kernel)
[root@hp-dl585g2-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP
iptables: Unknown error 18446744073709551615

(32bit kernel)
[root@intel-greencity-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP
iptables: Unknown error 4294967295

Comment 4 errata-xmlrpc 2009-11-03 18:22:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html