From: Florian Westphal <fw@strlen.de>
To: Wander Lairson Costa <wander@redhat.com>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Fernando Fernandez Mancera <ffmancera@riseup.net>,
"open list:NETFILTER" <netfilter-devel@vger.kernel.org>,
"open list:NETFILTER" <coreteam@netfilter.org>,
"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>,
stable@kernel.org
Subject: Re: [PATCH nf v2] netfilter/osf: avoid OOB read
Date: Thu, 31 Aug 2023 16:50:48 +0200 [thread overview]
Message-ID: <20230831145048.GC15759@breakpoint.cc> (raw)
In-Reply-To: <CAAq0SU=nesniZCLBa7xoqJ853sk2_+LaBhenVSZeYoe=82Syow@mail.gmail.com>
Wander Lairson Costa <wander@redhat.com> wrote:
> On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal <fw@strlen.de> wrote:
> >
> > Wander Lairson Costa <wander@redhat.com> wrote:
> > >
> > > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> > > index 8f1bfa6ccc2d..13fedf2aaa0f 100644
> > > --- a/net/netfilter/nfnetlink_osf.c
> > > +++ b/net/netfilter/nfnetlink_osf.c
> > > @@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> > >
> > > f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> > >
> > > + if (f->opt_num > ARRAY_SIZE(f->opt))
> > > + return -EINVAL;
> > > +
> >
> > Hmm, this isn't enough; as far as I can see there is no validation
> > whatsoever.
> >
>
> I didn't get it. It guarantees there is no OOB read of the opt array.
Sorry. This is enough to validate opt_num.
But other members need validation too.
> > This should also check that all of:
> >
> > char genre[MAXGENRELEN];
> > char version[MAXGENRELEN];
> > char subtype[MAXGENRELEN];
> >
> > ... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL
> > for those.
> >
>
> I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN).
I don't really care how it looks like, just that its clear that
it is supposed to catch and reject non-null terminated c strings
:-)
> > Maybe there is more to be validated. I did not followup with all the
> >
>
> I focused on the reported issue mainly because I am unfamiliar with
> the Netfilter layer. Let me take a deeper look.
I don't think there is anyone really familiar with OSF infra, it
was added quite a while back.
next prev parent reply other threads:[~2023-08-31 14:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-31 12:39 [PATCH nf v2] netfilter/osf: avoid OOB read Wander Lairson Costa
2023-08-31 13:37 ` Florian Westphal
2023-08-31 14:45 ` Wander Lairson Costa
2023-08-31 14:50 ` Florian Westphal [this message]
2023-08-31 15:31 ` Fernando F. Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230831145048.GC15759@breakpoint.cc \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ffmancera@riseup.net \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=stable@kernel.org \
--cc=wander@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.