Bug 523983 - kernel: ipt_recent: sanity check hit count [rhel-4.9]
Summary: kernel: ipt_recent: sanity check hit count [rhel-4.9]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.9
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Cong Wang
QA Contact: Evan McNabb
URL:
Whiteboard:
Depends On: 523982
Blocks: 529306
TreeView+ depends on / blocked
 
Reported: 2009-09-17 13:47 UTC by Eugene Teo (Security Response)
Modified: 2013-09-30 02:09 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 523982
Environment:
Last Closed: 2011-02-16 15:36:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0263 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update 2011-02-16 15:14:55 UTC

Description Eugene Teo (Security Response) 2009-09-17 13:47:49 UTC
+++ This bug was initially created as a clone of Bug #523982 +++

Description of problem:
If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules.

With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem.

nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 20 --name test --rsource -j DROP

While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 21 --name test --rsource -j DROP

With the patch the second rule-set will throw an EINVAL.

Reported-by: Sean Kennedy <skennedy@vcn.com>
Signed-off-by: Daniel Hokka Zakrisson <daniel@hozac.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Upstream commit:
http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0

Comment 2 RHEL Product and Program Management 2009-10-13 13:50:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Vivek Goyal 2009-10-30 18:05:24 UTC
Committed in 89.14.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 11 errata-xmlrpc 2011-02-16 15:36:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html


Note You need to log in before you can comment on or make changes to this bug.