From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Phil Sutter <phil@nwl.cc>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: [nf-next PATCH v2] netfilter: nft_exthdr: Fix for unsafe packet data read
Date: Tue, 8 Jun 2021 12:07:54 +0200 [thread overview]
Message-ID: <20210608100754.GG20020@breakpoint.cc> (raw)
In-Reply-To: <20210608095621.GA15808@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, Jun 08, 2021 at 11:40:57AM +0200, Phil Sutter wrote:
> > While iterating through an SCTP packet's chunks, skb_header_pointer() is
> > called for the minimum expected chunk header size. If (that part of) the
> > skbuff is non-linear, the following memcpy() may read data past
> > temporary buffer '_sch'. Use skb_copy_bits() instead which does the
> > right thing in this situation.
> >
> > Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
> > Suggested-by: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> > Changes since v1:
> > - skb_copy_bits() call error handling added
> > ---
> > net/netfilter/nft_exthdr.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> > index 1b0579cb62d08..7f705b5c09de8 100644
> > --- a/net/netfilter/nft_exthdr.c
> > +++ b/net/netfilter/nft_exthdr.c
> > @@ -327,7 +327,9 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
> > break;
> >
> > dest[priv->len / NFT_REG32_SIZE] = 0;
> > - memcpy(dest, (char *)sch + priv->offset, priv->len);
> > + if (skb_copy_bits(pkt->skb, offset + priv->offset,
> > + dest, priv->len) < 0)
> > + break;
>
> Hm, it looks like tcp exthdt matching has the same problem?
Tcp exthdr either copies from skb linear area or a on-stack scratch space,
it looks ok to me.
next prev parent reply other threads:[~2021-06-08 10:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 9:40 [nf-next PATCH v2] netfilter: nft_exthdr: Fix for unsafe packet data read Phil Sutter
2021-06-08 9:43 ` Florian Westphal
2021-06-08 9:56 ` Pablo Neira Ayuso
2021-06-08 10:07 ` Florian Westphal [this message]
2021-06-08 10:16 ` Pablo Neira Ayuso
2021-06-08 10:38 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210608100754.GG20020@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.