From: Daniel Borkmann <daniel@iogearbox.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length
Date: Tue, 08 Mar 2016 21:26:59 +0100 [thread overview]
Message-ID: <56DF3593.7020507@iogearbox.net> (raw)
In-Reply-To: <1457466260-20373-2-git-send-email-kadlec@blackhole.kfki.hu>
Hi Jozsef,
On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote:
> Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
> was not checked explicitly, just for the maximum possible size. Malicious
> netlink clients could send shorter attribute and thus resulting a kernel
> read after the buffer.
>
> The patch adds the explicit length checkings.
>
> Reported-by: Julia Lawall <julia.lawall@lip6.fr>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> ---
> net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++
> net/netfilter/ipset/ip_set_hash_mac.c | 3 ++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> index 29dde20..9a065f6 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> @@ -267,6 +267,8 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
>
> e.id = ip_to_id(map, ip);
> if (tb[IPSET_ATTR_ETHER]) {
> + if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
> + return -IPSET_ERR_PROTOCOL;
Any reason to not just remove the 'NLA_BINARY' from the policy?
include/net/netlink.h +191:
* Meaning of `len' field:
[...]
* NLA_BINARY Maximum length of attribute payload
[...]
* All other Minimum length of attribute payload
validate_nla() will just do the right thing and check for minlen.
Thanks,
Daniel
> memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
> e.add_mac = 1;
> }
> diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c
> index f1e7d2c..8f004ed 100644
> --- a/net/netfilter/ipset/ip_set_hash_mac.c
> +++ b/net/netfilter/ipset/ip_set_hash_mac.c
> @@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[],
> if (tb[IPSET_ATTR_LINENO])
> *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>
> - if (unlikely(!tb[IPSET_ATTR_ETHER]))
> + if (unlikely(!tb[IPSET_ATTR_ETHER] ||
> + nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN))
> return -IPSET_ERR_PROTOCOL;
>
> ret = ip_set_get_extensions(set, tb, &ext);
>
next prev parent reply other threads:[~2016-03-08 20:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 19:44 [PATCH 0/1] ipset patch for nf Jozsef Kadlecsik
2016-03-08 19:44 ` [PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length Jozsef Kadlecsik
2016-03-08 20:26 ` Daniel Borkmann [this message]
2016-03-08 21:46 ` Jozsef Kadlecsik
2016-03-10 18:28 ` [PATCH 0/1] ipset patch for nf Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DF3593.7020507@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.