Bug 155970 - 20050301 netfilter: fix crash on nat+icmp packets
20050301 netfilter: fix crash on nat+icmp packets
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
impact=unknown,public=20050302,report...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-26 08:13 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-27 02:59:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-04-26 08:13:56 EDT
See https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018657.html

"This patch fixes a kernel crashing bug when using NAT. The crash occurs in 
the case when we send out a UDP packet to a closed port on another host, 
with the UDP packet being SNATed. The remote host replies with an ICMP 
port unreachable (type 3, code 3). We need to adjust the ICMP packet, 
because the UDP packet was SNATed."

This may have security consequences.

Was fixed in 2.6.11 as part of
http://linux.bkbits.net:8080/linux-2.6/cset%4041ec35b6VPThEopl5t0ffdbUp7PweQ
Comment 1 David Miller 2005-04-26 19:01:02 EDT
Rusty's patch is enormous, breaks the kABI of netfilter completely,
and we're still fixing fallout from that change in 2.6.12-rcX

But the patch in the netfilter posting is OK, simple, not
a kABI breaker, and correct.  I'll try to cons up a clean
RHEL4 patch for davej, but no promises on getting to that
this week as I'm very busy with existing stuff and leave for
Chicago on Thursday afternoon.
Comment 2 David Miller 2005-07-27 02:59:52 EDT
Actually, the 2.6.9 based code we have in RHEL4 does not have
this bug.  It references the IP header via skb->nh.iph which
is fine.  Later code used a local variable to store the pointer,
which is what introduced the bug.

Therefore RHEL4 does not have this problem and we need do nothing.

Note You need to log in before you can comment on or make changes to this bug.