patch-2.4.23 linux-2.4.23/net/ipv4/netfilter/ip_nat_helper.c

• Lines: 54
• Date: 2003-11-28 10:26:21.000000000 -0800
• Orig file: linux-2.4.22/net/ipv4/netfilter/ip_nat_helper.c
• Orig date: 2003-08-25 04:44:44.000000000 -0700

diff -urN linux-2.4.22/net/ipv4/netfilter/ip_nat_helper.c linux-2.4.23/net/ipv4/netfilter/ip_nat_helper.c
@@ -195,16 +195,11 @@
 		skb_trim(*skb, newlen);
 	}
 
-	/* fix checksum information */
-
 	iph->tot_len = htons(newlen);
-	(*skb)->csum = csum_partial((char *)tcph + tcph->doff*4,
-				    newtcplen - tcph->doff*4, 0);
-
+	/* fix checksum information */
 	tcph->check = 0;
 	tcph->check = tcp_v4_check(tcph, newtcplen, iph->saddr, iph->daddr,
-				   csum_partial((char *)tcph, tcph->doff*4,
-					   (*skb)->csum));
+				   csum_partial((char *)tcph, newtcplen, 0));
 	ip_send_check(iph);
 
 	return 1;
@@ -238,6 +233,13 @@
 	newudplen = udplen - match_len + rep_len;
 	newlen = iph->ihl*4 + newudplen;
 
+	/* UDP helpers might accidentally mangle the wrong packet */
+	if (udplen < sizeof(*udph) + match_offset + match_len) {
+		if (net_ratelimit())
+			printk("ip_nat_mangle_udp_packet: undersized packet\n");
+		return 0;
+	}
+
 	if (newlen > 65535) {
 		if (net_ratelimit())
 			printk("ip_nat_mangle_udp_packet: nat'ed packet "
@@ -299,18 +301,12 @@
 	iph->tot_len = htons(newlen);
 
 	/* fix udp checksum if udp checksum was previously calculated */
-	if ((*skb)->csum != 0) {
-		(*skb)->csum = csum_partial((char *)udph +
-					    sizeof(struct udphdr),
-					    newudplen - sizeof(struct udphdr),
-					    0);
-
+	if (udph->check != 0) {
 		udph->check = 0;
 		udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
 						newudplen, IPPROTO_UDP,
 						csum_partial((char *)udph,
-							 sizeof(struct udphdr),
-							(*skb)->csum));
+						             newudplen, 0));
 	}
 
 	ip_send_check(iph);