diff options
| author |   David Leadbeater <dgl@dgl.cx> | 2022-08-26 14:56:58 +1000 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2022-09-01 02:01:56 +0200 |
| commit | 0efe125cfb99e6773a7434f3463f7c2fa28f3a43 (patch) | |
| tree | 330bb73faf138404fc0b687822fbb8342521069b /net/netfilter | |
| parent | netfilter: nf_tables: clean up hook list when offload flags check fails (diff) | |
| download | linux-dev-0efe125cfb99e6773a7434f3463f7c2fa28f3a43.tar.xz linux-dev-0efe125cfb99e6773a7434f3463f7c2fa28f3a43.zip | |
netfilter: nf_conntrack_irc: Fix forged IP logic
Ensure the match happens in the right direction, previously the
destination used was the server, not the NAT host, as the comment
shows the code intended.
Additionally nf_nat_irc uses port 0 as a signal and there's no valid way
it can appear in a DCC message, so consider port 0 also forged.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: David Leadbeater <dgl@dgl.cx>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_irc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 1796c456ac98..992decbcaa5c 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -194,8 +194,9 @@ static int help(struct sk_buff *skb, unsigned int protoff, /* dcc_ip can be the internal OR external (NAT'ed) IP */ tuple = &ct->tuplehash[dir].tuple; - if (tuple->src.u3.ip != dcc_ip && - tuple->dst.u3.ip != dcc_ip) { + if ((tuple->src.u3.ip != dcc_ip && + ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) || + dcc_port == 0) { net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n", &tuple->src.u3.ip, &dcc_ip, dcc_port); |