1. 28 9月, 2012 22 次提交
  2. 26 9月, 2012 1 次提交
  3. 25 9月, 2012 15 次提交
  4. 24 9月, 2012 2 次提交
    • P
      netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute · 6ee584be
      Pablo Neira Ayuso 提交于
      This patch adds the NFQA_CAP_LEN attribute that allows us to know
      what is the real packet size from user-space (even if we decided
      to retrieve just a few bytes from the packet instead of all of it).
      
      Security software that inspects packets should always check for
      this new attribute to make sure that it is inspecting the entire
      packet.
      
      This also helps to provide a workaround for the problem described
      in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2
      
      Original idea from Florian Westphal.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      6ee584be
    • P
      netfilter: nfnetlink_queue: fix maximum packet length to userspace · ba8d3b0b
      Pablo Neira Ayuso 提交于
      The packets that we send via NFQUEUE are encapsulated in the NFQA_PAYLOAD
      attribute. The length of the packet in userspace is obtained via
      attr->nla_len field. This field contains the size of the Netlink
      attribute header plus the packet length.
      
      If the maximum packet length is specified, ie. 65535 bytes, and
      packets in the range of (65531,65535] are sent to userspace, the
      attr->nla_len overflows and it reports bogus lengths to the
      application.
      
      To fix this, this patch limits the maximum packet length to 65531
      bytes. If larger packet length is specified, the packet that we
      send to user-space is truncated to 65531 bytes.
      
      To support 65535 bytes packets, we have to revisit the idea of
      the 32-bits Netlink attribute length.
      Reported-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ba8d3b0b