From 48dcafcd0a5a48a735bec4f1207e159eebc5f08f Mon Sep 17 00:00:00 2001 From: Niels Werensteijn Date: Mon, 10 Oct 2016 15:50:26 +0200 Subject: [PATCH] make sure we use ipv4 or ipv6 --- src/libxt_ts3init.c | 84 ++++++++++++++++++++++++++++++--------------- src/ts3init_match.c | 37 ++++++++++++++------ 2 files changed, 83 insertions(+), 38 deletions(-) diff --git a/src/libxt_ts3init.c b/src/libxt_ts3init.c index aff7dd3..ef41c27 100644 --- a/src/libxt_ts3init.c +++ b/src/libxt_ts3init.c @@ -17,6 +17,7 @@ #include "ts3init_match.h" #define param_act(t, s, f) xtables_param_act((t), "ts3init_get_cookie", (s), (f)) +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) static void ts3init_get_cookie_help(void) { @@ -189,37 +190,64 @@ static void ts3init_get_puzzle_print(const void *ip, const struct xt_entry_match } /* register and init */ -static struct xtables_match ts3init_get_cookie_mt_reg = { - .name = "ts3init_get_cookie", - .revision = 0, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), - .help = ts3init_get_cookie_help, - .parse = ts3init_get_cookie_parse, - .print = ts3init_get_cookie_print, - .save = ts3init_get_cookie_save, - .extra_opts = ts3init_get_cookie_opts, -}; - -static struct xtables_match ts3init_get_puzzle_mt_reg = { - .name = "ts3init_get_puzzle", - .revision = 0, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), - .help = ts3init_get_puzzle_help, - .parse = ts3init_get_puzzle_parse, - .print = ts3init_get_puzzle_print, - .save = ts3init_get_puzzle_save, - .extra_opts = ts3init_get_puzzle_opts, +static struct xtables_match ts3init_mt_reg[] = +{ + { + .name = "ts3init_get_cookie", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), + .help = ts3init_get_cookie_help, + .parse = ts3init_get_cookie_parse, + .print = ts3init_get_cookie_print, + .save = ts3init_get_cookie_save, + .extra_opts = ts3init_get_cookie_opts, + }, + { + .name = "ts3init_get_cookie", + .revision = 0, + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_cookie_mtinfo)), + .help = ts3init_get_cookie_help, + .parse = ts3init_get_cookie_parse, + .print = ts3init_get_cookie_print, + .save = ts3init_get_cookie_save, + .extra_opts = ts3init_get_cookie_opts, + }, + { + .name = "ts3init_get_puzzle", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), + .help = ts3init_get_puzzle_help, + .parse = ts3init_get_puzzle_parse, + .print = ts3init_get_puzzle_print, + .save = ts3init_get_puzzle_save, + .extra_opts = ts3init_get_puzzle_opts, + }, + { + .name = "ts3init_get_puzzle", + .revision = 0, + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_get_puzzle_mtinfo)), + .help = ts3init_get_puzzle_help, + .parse = ts3init_get_puzzle_parse, + .print = ts3init_get_puzzle_print, + .save = ts3init_get_puzzle_save, + .extra_opts = ts3init_get_puzzle_opts, + } }; static __attribute__((constructor)) void ts3init_mt_ldr(void) { - xtables_register_match(&ts3init_get_cookie_mt_reg); - xtables_register_match(&ts3init_get_puzzle_mt_reg); + xtables_register_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg)); } diff --git a/src/ts3init_match.c b/src/ts3init_match.c index a7918ef..fb7a1ae 100644 --- a/src/ts3init_match.c +++ b/src/ts3init_match.c @@ -153,6 +153,12 @@ static int ts3init_get_cookie_mt_check(const struct xt_mtchk_param *par) { struct xt_ts3init_get_cookie_mtinfo *info = par->matchinfo; + if (! (par->family == NFPROTO_IPV4 || par->family == NFPROTO_IPV6)) + { + printk(KERN_INFO KBUILD_MODNAME ": invalid protocol (only ipv4 and ipv6) for get_cookie\n"); + return -EINVAL; + } + if (info->common_options & ~(CHK_COMMON_VALID_MASK)) { printk(KERN_INFO KBUILD_MODNAME ": invalid (common) options for get_cookie\n"); @@ -173,18 +179,18 @@ ts3init_get_puzzle_mt(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_ts3init_get_puzzle_mtinfo *info = par->matchinfo; struct ts3_init_checked_header_data header_data; - + if (!check_header(skb, par, GET_PUZZLE_PAYLOAD_SIZE, &header_data)) return false; - + if (header_data.ts3_header->command != 2) return false; - + if (info->specific_options & CHK_GET_PUZZLE_CHECK_COOKIE) { struct ts3init_cache_t* cache; struct ts3_init_header* ts3_header = header_data.ts3_header; - __u64* cookie_seed; - /*__u8 cookie[8];*/ + __u64* cookie_seed, cookie_seed0, cookie_seed1; + unsigned long jifs; time_t current_unix_time; @@ -194,26 +200,30 @@ ts3init_get_puzzle_mt(const struct sk_buff *skb, struct xt_action_param *par) update_cache_time(jifs, cache); current_unix_time = cache->unix_time; - + cookie_seed = ts3init_get_cookie_seed(current_unix_time, ts3_header->payload[8], &cache->cookie_cache, info->cookie_seed); - + if (!cookie_seed) { put_cpu_var(ts3init_cache); return false; } - + + cookie_seed0 = cookie_seed[0]; + cookie_seed1 = cookie_seed[1]; + + put_cpu_var(ts3init_cache); + /* use cookie_seed and ipaddress and port to create a hash * (cookie) for this connection */ /* TODO: implement using sipHash */ - put_cpu_var(ts3init_cache); /* compare cookie with payload bytes 0-7. if equal, cookie * is valid */ /*if (memcmp(cookie, ts3_header->payload, 8) != 0) return false;*/ - + } return true; } @@ -221,6 +231,13 @@ ts3init_get_puzzle_mt(const struct sk_buff *skb, struct xt_action_param *par) static int ts3init_get_puzzle_mt_check(const struct xt_mtchk_param *par) { struct xt_ts3init_get_puzzle_mtinfo *info = par->matchinfo; + + if (! (par->family == NFPROTO_IPV4 || par->family == NFPROTO_IPV6)) + { + printk(KERN_INFO KBUILD_MODNAME ": invalid protocol (only ipv4 and ipv6) for get_puzzle\n"); + return -EINVAL; + } + if (info->common_options & ~(CHK_COMMON_VALID_MASK)) { printk(KERN_INFO KBUILD_MODNAME ": invalid (common) options for get_puzzle\n");