diff options
Diffstat (limited to 'netfilter-x_tables-deal-with-bogus-nextoffset-values.patch')
-rw-r--r-- | netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | 109 |
1 files changed, 0 insertions, 109 deletions
diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch deleted file mode 100644 index e6f5fa6f5..000000000 --- a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 2b32a7d82223d76ace432305b18c5816cadff878 Mon Sep 17 00:00:00 2001 -From: Florian Westphal <fw () strlen ! de> -Date: Thu, 10 Mar 2016 00:56:02 -0800 -Subject: [PATCH] netfilter: x_tables: deal with bogus nextoffset values - -Ben Hawkes says: - - In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it - is possible for a user-supplied ipt_entry structure to have a large - next_offset field. This field is not bounds checked prior to writing a - counter value at the supplied offset. - -Problem is that xt_entry_foreach() macro stops iterating once e->next_offset -is out of bounds, assuming this is the last entry. - -With malformed data thats not necessarily the case so we can -write outside of allocated area later as we might not have walked the -entire blob. - -Fix this by simplifying mark_source_chains -- it already has to check -if nextoff is in range to catch invalid jumps, so just do the check -when we move to a next entry as well. - -Signed-off-by: Florian Westphal <fw@strlen.de> ---- - net/ipv4/netfilter/arp_tables.c | 8 ++++++++ - net/ipv4/netfilter/ip_tables.c | 8 ++++++++ - net/ipv6/netfilter/ip6_tables.c | 6 ++++++ - 3 files changed, 22 insertions(+) - -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index 2033f92..a9b6c76 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -376,6 +376,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct arpt_entry *) - (entry0 + pos + size); - if (pos + size >= newinfo->size) -@@ -399,6 +403,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - if (newpos >= newinfo->size) - return 0; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct arpt_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 54906e0..7530ecd 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -447,6 +447,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ipt_entry *) - (entry0 + pos + size); - if (pos + size >= newinfo->size) -@@ -470,6 +474,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - if (newpos >= newinfo->size) - return 0; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ipt_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 63e06c3..894da69 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -474,6 +474,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; - e = (struct ip6t_entry *) - (entry0 + pos + size); - if (pos + size >= newinfo->size) -@@ -497,6 +499,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - if (newpos >= newinfo->size) - return 0; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ip6t_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; --- -2.5.5 - |