git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 10 Mar 2016 16:26:39 +0000 (17:26 +0100)
committer	Seth Forshee <seth.forshee@canonical.com>
	Tue, 5 Sep 2017 12:33:18 +0000 (07:33 -0500)
commit	dc7e5118c616390344184c231b18136b99169945
tree	27cd14d0421a927ca2e4741cc740aaea8c497753	tree
parent	72d89ab4978d33e42dbd6cd0758c22bfa7bc39fa	commit \| diff

UBUNTU: SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

BugLink: http://bugs.launchpad.net/bugs/1555338
Ben Hawkes says:

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.

Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
is out of bounds, assuming this is the last entry.

With malformed data thats not necessarily the case so we can
write outside of allocated area later as we might not have walked the
entire blob.

Fix this by simplifying mark_source_chains -- it already has to check
if nextoff is in range to catch invalid jumps, so just do the check
when we move to a next entry as well.

Also, check that the offset meets the xtables_entry alignment.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Chris J. Arges <chris.j.arges@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| blame \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| blame \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| blame \| history