]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2977eee) | patch
netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 27 May 2022 07:56:18 +0000 (09:56 +0200)
committerThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Wed, 1 Jun 2022 17:09:56 +0000 (14:09 -0300)
commitfecb0b790a6cce3238013ecad747f45e69257687
tree332863189b3ae1c8083eee2309a33212b27c9f45tree
parent2977eeec1030b67b009ef4456fd9b214d9db4c02commit | diff
netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

BugLink: https://bugs.launchpad.net/bugs/1976363
Add several sanity checks for nft_set_desc_concat_parse():

- validate desc->field_count not larger than desc->field_len array.
- field length cannot be larger than desc->field_len (ie. U8_MAX)
- total length of the concatenation cannot be larger than register array.

Joint work with Florian Westphal.

Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
Reported-by: <zhangziming.zzm@antgroup.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit fecf31ee395b0295f2d7260aa29946b7605f7c85 net.git)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
net/netfilter/nf_tables_api.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror