Bug 523982 - kernel: ipt_recent: sanity check hit count [rhel-5.5]
Summary: kernel: ipt_recent: sanity check hit count [rhel-5.5]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.5
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Cong Wang
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
: 523977 (view as bug list)
Depends On:
Blocks: 523983 523985 523986 525215 527434 533192
TreeView+ depends on / blocked
 
Reported: 2009-09-17 13:44 UTC by Eugene Teo (Security Response)
Modified: 2013-09-30 02:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 523983 523985 523986 (view as bug list)
Environment:
Last Closed: 2010-03-30 06:50:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
reproducer for RHTS (1.99 KB, application/x-sh)
2010-02-12 15:10 UTC, Jan Tluka 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0178 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.5 kernel security and bug fix update 2010-03-29 12:18:21 UTC

Description Eugene Teo (Security Response) 2009-09-17 13:44:44 UTC 
Quoting upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d0ebf133590abdc035af6e19a6568667af0ab3b0

  If a rule using ipt_recent is created with a hit count greater than
  ip_pkt_list_tot, the rule will never match as it cannot keep track
  of enough timestamps. This patch makes ipt_recent refuse to create such
  rules.

Version-Release number of selected component (if applicable):
kernel-2.6.18-164.el5

Steps to Reproduce:
Outline in the upstream commit, this variant using TCP connections instead of
UDP connections worked little better for me:

iptables rules:

iptables -F
iptables -A INPUT -p tcp --dport 1235 -m recent --remove --name test
iptables -A INPUT -p tcp --syn --dport 1234 -m recent --set --name test
iptables -A INPUT -p tcp --syn --dport 1234 -m recent --update --seconds 60
--hitcount 20 --name test -j REJECT

run testing server as:

while : ; do nc -l 0.0.0.0 1234 ; done

client side:

# remove previous recent entries to get a clean state
echo 2> /dev/null | nc 127.0.0.1 1235
cat /proc/net/ipt_recent/test

for i in `seq 1 30`; do
  echo $i | nc 127.0.0.1 1234; sleep 0.2
done

When hitcount 20 is used, you can see only 19 connections to the server are
allowed.  Raising hitcount to 21 (assuming default ip_pkt_list_tot), unlimited
number of connections are allowed.

After the fix, an attempt to create rule with hitcount higher than
ip_pkt_list_tot should result in error:

  iptables: Invalid argument
Comment 2 Eugene Teo (Security Response) 2009-09-17 14:22:15 UTC 
*** Bug 523977 has been marked as a duplicate of this bug. ***
Comment 6 Don Zickus 2009-10-06 19:39:26 UTC 
in kernel-2.6.18-168.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 10 Jan Tluka 2010-02-12 15:10:29 UTC 
Created attachment 390504 [details]
reproducer for RHTS

The test now lives in /kernel/errata/5.5/523982
Comment 13 errata-xmlrpc 2010-03-30 06:50:10 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html
Note You need to log in before you can comment on or make changes to this bug.