Commit 0efe125c authored Aug 26, 2022 by David Leadbeater Committed by Pablo Neira Ayuso Sep 01, 2022

netfilter: nf_conntrack_irc: Fix forged IP logic



Ensure the match happens in the right direction, previously the
destination used was the server, not the NAT host, as the comment
shows the code intended.

Additionally nf_nat_irc uses port 0 as a signal and there's no valid way
it can appear in a DCC message, so consider port 0 also forged.

Fixes: 869f37d8 ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: David Leadbeater <dgl@dgl.cx>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 77972a36

net/netfilter/nf_conntrack_irc.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -194,8 +194,9 @@ static int help(struct sk_buff *skb, unsigned int protoff,

		/* dcc_ip can be the internal OR external (NAT'ed) IP */
		tuple = &ct->tuplehash[dir].tuple;
		if (tuple->src.u3.ip != dcc_ip &&
		tuple->dst.u3.ip != dcc_ip) {
		if ((tuple->src.u3.ip != dcc_ip &&
		ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) \|\|
		dcc_port == 0) {
		net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
		&tuple->src.u3.ip,
		&dcc_ip, dcc_port);