Harald Welte
2002-Jan-20 13:18 UTC
[ANNOUNCE] Bug in kernel == 2.4.10 causing netfilter problem
--AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all! On behalf of the netfilter core team I have the following announcement: The following kernel versions habe a bug in include/linux/list.h, which causes netfilter's connection tracking code to misbehave: 2.4.10-pre10 2.4.10-pre11 2.4.10-pre12 2.4.10 The bug in include/linux/list.h has been fixed in 2.4.11-pre1 and all later kernels. SYMPTOMS OF THE PROBLEM =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The connection tracking code for tcp has various timeouts for the respective TCP states the tracked connection can be in. =20 Because of the list_del() problem, the state machine of netfilter connection tracking doesn't work correctly anymore. Connections in the state TIME_WAIT or CLOSE_WAIT will have wrong timeouts up to multiple days (as opposed to their usual timeout, a couple of minutes). This results in the netfilter connection tracking table getting filled with old, unneeded connection tracking entries. This presents a vulnerability towards denial of service attacks. CAUSE OF THE PROBLEM =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2.4.10-pre10 included the following change to list.h:> diff -u --recursive --new-file v2.4.9/linux/include/linux/list.h linux/include/linux/list.h > --- v2.4.9/linux/include/linux/list.h Fri Feb 16 16:06:17 2001 > +++ linux/include/linux/list.h Sun Sep 23 10:31:02 2001 > @@ -90,6 +92,7 @@ > static __inline__ void list_del(struct list_head *entry) > { > __list_del(entry->prev, entry->next); > + entry->next =3D entry->prev =3D 0; > } > =20 > /**This change breaks an assumption made by the netfilter connection tracking code in linux/net/ipv4/netfilter/ip_conntrack_core.c:> static void > clean_from_lists(struct ip_conntrack *ct) > { > MUST_BE_WRITE_LOCKED(&ip_conntrack_lock); > /* Remove from both hash lists: must not NULL out next ptrs, > otherwise we'll look unconfirmed. Fortunately, LIST_DELETE > doesn't do this. --RR */ > LIST_DELETE(&ip_conntrack_hash > [hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)], > &ct->tuplehash[IP_CT_DIR_ORIGINAL]); > LIST_DELETE(&ip_conntrack_hash > [hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple)], > &ct->tuplehash[IP_CT_DIR_REPLY]);LIST_DELETE is a macro expanding to list_del from linux/list.h SOLUTION TO THE PROBLEM =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Update to a kernel >=3D 2.4.11-pre1 (and don't use 2.4.11 for other reasons). If you really need to keep your 2.4.10 kernel for any reason, try reverting the list_del change, but this is completely untested and we have no idea how this might affect other subsystems of the kernel. Redistribution of this announcement is encouraged, provided that its content remains unchanged. (C) 2002 by the netfilter core team. Thanks to Jozsef Kadlecsik for finding the real cause of this problem. --=20 Live long and prosper - Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-=20 V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*) --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8SsOTNfqJzMqajVsRAs0vAKC7/KAmjLA3nq3ekERmwqhki3swRgCfTZ7M YRH4snGnU8Z9YNVhwFH1cLM=ALO6 -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD--
Apparently Analagous Threads
- [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS
- [Bug 466] u.tcp used where u.udp should be, in tftp nat helper
- [Bug 512] poptop (pptpd) will not work if ip_nat_pptp loaded
- [Bug 714] New: Kernel panics in same_src()
- [Bug 831] New: oops in find_appropriate_src+219