netfilter: nf_conntrack_irc: Fix forged IP logic

Ensure the match happens in the right direction, previously the destination used was the server, not the NAT host, as the comment shows the code intended. Additionally nf_nat_irc uses port 0 as a signal and there's no valid way it can appear in a DCC message, so consider port 0 also forged. Fixes: 869f37d8 ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") Signed-off-by: N David Leadbeater <dgl@dgl.cx> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_conntrack_irc: Fix forged IP logic
Ensure the match happens in the right direction, previously the destination used was the server, not the NAT host, as the comment shows the code intended. Additionally nf_nat_irc uses port 0 as a signal and there's no valid way it can appear in a DCC message, so consider port 0 also forged. Fixes: 869f37d8 ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") Signed-off-by: N David Leadbeater <dgl@dgl.cx> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
0efe125c · David Leadbeater · Pablo Neira Ayuso · 77972a36 · 0efe125c
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

net/netfilter/nf_conntrack_irc.c net/netfilter/nf_conntrack_irc.c +3 -2

未找到文件。
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -194,8 +194,9 @@ static int help(struct sk_buff *skb, unsigned int protoff,
 			/* dcc_ip can be the internal OR external (NAT'ed) IP */
 			tuple = &ct->tuplehash[dir].tuple;
-			if (tuple->src.u3.ip != dcc_ip &&
+			if ((tuple->src.u3.ip != dcc_ip &&
-			    tuple->dst.u3.ip != dcc_ip) {
+			     ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) ||
+			    dcc_port == 0) {
 				net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
 						     &tuple->src.u3.ip,
 						     &dcc_ip, dcc_port);