netfilter: xt_u32: validate user space input
The xt_u32 module doesn't validate the fields in the xt_u32 structure.
An attacker may take advantage of this to trigger an OOB read by setting
the size fields with a value beyond the arrays boundaries.
Add a checkentry function to validate the structure.
This was originally reported by the ZDI project (ZDI-CAN-18408).
Fixes: 1b50b8a371
("[NETFILTER]: Add u32 match")
Cc: stable@vger.kernel.org
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
e994764976
commit
69c5d284f6
@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|||||||
return ret ^ data->invert;
|
return ret ^ data->invert;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int u32_mt_checkentry(const struct xt_mtchk_param *par)
|
||||||
|
{
|
||||||
|
const struct xt_u32 *data = par->matchinfo;
|
||||||
|
const struct xt_u32_test *ct;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
if (data->ntests > ARRAY_SIZE(data->tests))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
for (i = 0; i < data->ntests; ++i) {
|
||||||
|
ct = &data->tests[i];
|
||||||
|
|
||||||
|
if (ct->nnums > ARRAY_SIZE(ct->location) ||
|
||||||
|
ct->nvalues > ARRAY_SIZE(ct->value))
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static struct xt_match xt_u32_mt_reg __read_mostly = {
|
static struct xt_match xt_u32_mt_reg __read_mostly = {
|
||||||
.name = "u32",
|
.name = "u32",
|
||||||
.revision = 0,
|
.revision = 0,
|
||||||
.family = NFPROTO_UNSPEC,
|
.family = NFPROTO_UNSPEC,
|
||||||
.match = u32_mt,
|
.match = u32_mt,
|
||||||
|
.checkentry = u32_mt_checkentry,
|
||||||
.matchsize = sizeof(struct xt_u32),
|
.matchsize = sizeof(struct xt_u32),
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user