From: Laura Garcia Liebana <nevola@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH v4] netfilter: nf_tables: Ensure init attributes are within the bounds
Date: Thu, 18 Aug 2016 18:06:26 +0200 [thread overview]
Message-ID: <20160818160623.GA25544@sonyv> (raw)
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V4:
- Define NFT_CMP_MAX
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_bitwise.c | 7 ++++++-
net/netfilter/nft_byteorder.c | 13 +++++++++++--
net/netfilter/nft_cmp.c | 9 ++++++++-
net/netfilter/nft_immediate.c | 3 +++
5 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 0ddefb1..ce12a20 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -528,7 +528,9 @@ enum nft_cmp_ops {
NFT_CMP_LTE,
NFT_CMP_GT,
NFT_CMP_GTE,
+ __NFT_CMP_MAX
};
+#define NFT_CMP_MAX (__NFT_CMP_MAX - 1)
/**
* enum nft_cmp_attributes - nf_tables cmp expression netlink attributes
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d71cc18..6e09b1e 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -53,6 +53,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
struct nft_bitwise *priv = nft_expr_priv(expr);
struct nft_data_desc d1, d2;
int err;
+ u32 len;
if (tb[NFTA_BITWISE_SREG] == NULL ||
tb[NFTA_BITWISE_DREG] == NULL ||
@@ -61,7 +62,11 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
tb[NFTA_BITWISE_XOR] == NULL)
return -EINVAL;
- priv->len = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+ len = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+ if (len > U8_MAX)
+ return -ERANGE;
+ priv->len = len;
+
priv->sreg = nft_parse_register(tb[NFTA_BITWISE_SREG]);
err = nft_validate_register_load(priv->sreg, priv->len);
if (err < 0)
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index b78c28b..763cf15 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -100,6 +100,7 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
{
struct nft_byteorder *priv = nft_expr_priv(expr);
int err;
+ u32 len, size;
if (tb[NFTA_BYTEORDER_SREG] == NULL ||
tb[NFTA_BYTEORDER_DREG] == NULL ||
@@ -117,7 +118,10 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
return -EINVAL;
}
- priv->size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+ size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+ if (size > U8_MAX)
+ return -ERANGE;
+ priv->size = size;
switch (priv->size) {
case 2:
case 4:
@@ -128,7 +132,12 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
}
priv->sreg = nft_parse_register(tb[NFTA_BYTEORDER_SREG]);
- priv->len = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+
+ len = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+ if (len > U8_MAX)
+ return -ERANGE;
+ priv->len = len;
+
err = nft_validate_register_load(priv->sreg, priv->len);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index e25b35d..cb9cfab 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -55,6 +55,8 @@ static void nft_cmp_eval(const struct nft_expr *expr,
if (d < 0)
goto mismatch;
break;
+ default:
+ break;
}
return;
@@ -84,8 +86,13 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (err < 0)
return err;
- priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+ if (desc.len > U8_MAX)
+ return -ERANGE;
priv->len = desc.len;
+ priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+ if (priv->op > NFT_CMP_MAX)
+ return -ERANGE;
+
return 0;
}
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index db3b746..b5f899c 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -53,6 +53,9 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
tb[NFTA_IMMEDIATE_DATA]);
if (err < 0)
return err;
+
+ if (desc.len > U8_MAX)
+ return -ERANGE;
priv->dlen = desc.len;
priv->dreg = nft_parse_register(tb[NFTA_IMMEDIATE_DREG]);
--
2.8.1
next reply other threads:[~2016-08-19 4:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 16:06 Laura Garcia Liebana [this message]
2016-08-25 11:29 ` [PATCH v4] netfilter: nf_tables: Ensure init attributes are within the bounds Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818160623.GA25544@sonyv \
--to=nevola@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.