Bug 523986 - kernel: ipt_recent: sanity check hit count [mrg-1]
Summary: kernel: ipt_recent: sanity check hit count [mrg-1]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel
Version: Development
Hardware: All
OS: Linux
high
high
Target Milestone: 1.1.9
: ---
Assignee: Luis Claudio R. Goncalves
QA Contact: David Sommerseth
URL:
Whiteboard:
Depends On: 523982
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-17 13:51 UTC by Eugene Teo (Security Response)
Modified: 2016-05-22 23:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 523982
Environment:
Last Closed: 2009-11-03 18:22:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1540 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2009-11-03 18:21:07 UTC

Description Eugene Teo (Security Response) 2009-09-17 13:51:59 UTC 
+++ This bug was initially created as a clone of Bug #523982 +++

Description of problem:
If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules.

With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem.

nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 20 --name test --rsource -j DROP

While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 21 --name test --rsource -j DROP

With the patch the second rule-set will throw an EINVAL.

Reported-by: Sean Kennedy <skennedy>
Signed-off-by: Daniel Hokka Zakrisson <daniel>
Signed-off-by: Patrick McHardy <kaber>
Signed-off-by: David S. Miller <davem>

Upstream commit:
http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0
Comment 1 Luis Claudio R. Goncalves 2009-10-14 21:45:59 UTC 
Patch bz523986-ipt_recent-sanity-check-hit-count.patch, backport of commit d0ebf133590abdc035af6e19a6568667af0ab3b0 from Linus' tree, was added to kernel's -135 queue.
Comment 2 David Sommerseth 2009-10-27 16:46:04 UTC 
Verified by running reproducing routine.

On 2.6.24.7-132 the following iptables command was allowed:
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP

On 2.6.24.7-136 the same command failed:
(64bit kernel)
[root@hp-dl585g2-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP
iptables: Unknown error 18446744073709551615

(32bit kernel)
[root@intel-greencity-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP
iptables: Unknown error 4294967295
Comment 4 errata-xmlrpc 2009-11-03 18:22:05 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html
Note You need to log in before you can comment on or make changes to this bug.