r4sas/ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fixed bug in TS3INIT_MORPH_TO_GET_COOKIE. Kernel won't panic anymore.

Browse Source
This commit is contained in:
Maximilian Münchow 2016-10-14 10:29:39 +02:00
parent ab7478727b
commit 4ab6b8f09d
1 changed files with 11 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/ts3init_target.c
View File

@ -386,9 +386,9 @@ ts3init_fill_get_cookie_payload(u8 *payload)
{
time_t current_unix_time = ts3init_get_cached_unix_time();
payload[TS3INIT_HEADER_CLIENT_LENGTH - 1] = COMMAND_GET_COOKIE;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 0] = current_unix_time << 24;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 1] = current_unix_time << 16;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 2] = current_unix_time << 8;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 0] = current_unix_time >> 24;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 1] = current_unix_time >> 16;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 2] = current_unix_time >> 8;
payload[TS3INIT_HEADER_CLIENT_LENGTH + 3] = current_unix_time;
get_random_bytes(&payload[TS3INIT_HEADER_CLIENT_LENGTH + 4], 4);
memset(&payload[TS3INIT_HEADER_CLIENT_LENGTH + 8], 0, 8);
@ -404,38 +404,24 @@ ts3init_morph_to_get_cookie_ipv4_tg(struct sk_buff *skb, const struct xt_action_
struct iphdr *ip;
struct udphdr *udp, udp_buf;
u8 *payload, payload_buf[TS3INIT_HEADER_CLIENT_LENGTH + 16];
unsigned int data_len;
int length_difference;
if (!skb_make_writable(skb, 0))
if (skb_put_padto(skb, sizeof(*ip) + sizeof(*udp) + sizeof(payload_buf)))
return NF_STOLEN;
if (!skb_make_writable(skb, skb->len))
return NF_DROP;
ip = ip_hdr(skb);
udp = skb_header_pointer(skb, par->thoff, sizeof(udp_buf), &udp_buf);
if (udp == NULL)
return NF_DROP;
if (ip->frag_off & htons(IP_OFFSET))
return NF_DROP;
data_len = ntohs(udp->len) - sizeof(*udp);
if (data_len < 1 || data_len > 512)
return NF_DROP;
length_difference = sizeof(payload_buf) - data_len;
if (length_difference > 0)
skb_put(skb, length_difference);
else if (length_difference < 0)
skb_trim(skb, skb->len + length_difference);
payload = skb_header_pointer(skb, par->thoff + sizeof(udp), sizeof(payload_buf), payload_buf);
payload = skb_header_pointer(skb, par->thoff + sizeof(*udp), sizeof(payload_buf), payload_buf);
ts3init_fill_get_cookie_payload(payload);
udp->len = htons(sizeof(*udp) + sizeof(payload_buf));
udp->check = 0;
udp->check = csum_tcpudp_magic(ip->saddr, ip->daddr,
ntohs(udp->len), IPPROTO_UDP,
csum_partial(udp, ntohs(udp->len), 0));
ip->tot_len = htons(skb->len);
skb->ip_summed = CHECKSUM_NONE;
@ -455,10 +441,10 @@ ts3init_morph_to_get_cookie_ipv6_tg(struct sk_buff *skb, const struct xt_action_
struct ipv6hdr *ip;
struct udphdr *udp, udp_buf;
u8 *payload, payload_buf[TS3INIT_HEADER_CLIENT_LENGTH + 16];
unsigned int data_len;
int length_difference;
if (!skb_make_writable(skb, 0))
if (skb_put_padto(skb, sizeof(*ip) + sizeof(*udp) + sizeof(payload_buf)))
return NF_STOLEN;
if (!skb_make_writable(skb, skb->len))
return NF_DROP;
ip = ipv6_hdr(skb);
@ -466,24 +452,11 @@ ts3init_morph_to_get_cookie_ipv6_tg(struct sk_buff *skb, const struct xt_action_
if (udp == NULL)
return NF_DROP;
data_len = ntohs(udp->len) - sizeof(*udp);
if (data_len < 1 || data_len > 512)
return NF_DROP;
length_difference = sizeof(payload_buf) - data_len;
if (length_difference > 0)
skb_put(skb, length_difference);
else if (length_difference < 0)
skb_trim(skb, skb->len + length_difference);
payload = skb_header_pointer(skb, par->thoff + sizeof(udp), sizeof(payload_buf), payload_buf);
payload = skb_header_pointer(skb, par->thoff + sizeof(*udp), sizeof(payload_buf), payload_buf);
ts3init_fill_get_cookie_payload(payload);
udp->len = htons(sizeof(*udp) + sizeof(payload_buf));
udp->check = 0;
udp->check = csum_ipv6_magic(&ip->saddr, &ip->daddr,
ntohs(udp->len), IPPROTO_UDP,
csum_partial(udp, ntohs(udp->len), 0));
ip->payload_len = htons(skb->len);
skb->ip_summed = CHECKSUM_NONE;