From: Andreas Schwab <schwab@linux-m68k.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org
Subject: Re: [PATCH 07/23] netfilter: x_tables: check standard target size too
Date: Sun, 05 Jun 2016 23:11:36 +0200 [thread overview]
Message-ID: <8760tn5ojb.fsf@linux-m68k.org> (raw)
In-Reply-To: <1461332394-3994-8-git-send-email-pablo@netfilter.org> (Pablo Neira Ayuso's message of "Fri, 22 Apr 2016 15:39:38 +0200")
Pablo Neira Ayuso <pablo@netfilter.org> writes:
> From: Florian Westphal <fw@strlen.de>
>
> We have targets and standard targets -- the latter carries a verdict.
>
> The ip/ip6tables validation functions will access t->verdict for the
> standard targets to fetch the jump offset or verdict for chainloop
> detection, but this happens before the targets get checked/validated.
>
> Thus we also need to check for verdict presence here, else t->verdict
> can point right after a blob.
>
> Spotted with UBSAN while testing malformed blobs.
This breaks iptables on PPC32.
# iptables -nL
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
# modprobe iptable-filter
FATAL: Error inserting iptable_filter (/lib/modules/4.7.0-rc1/kernel/net/ipv4/netfilter/iptable_filter.ko): Invalid argument
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
next prev parent reply other threads:[~2016-06-05 21:11 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 13:39 [PATCH 00/23] Netfilter updates for net-next Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 01/23] netfilter: x_tables: don't move to non-existent next rule Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 02/23] netfilter: x_tables: validate targets of jumps Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 03/23] netfilter: x_tables: add and use xt_check_entry_offsets Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 04/23] netfilter: x_tables: kill check_entry helper Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 05/23] netfilter: x_tables: assert minimum target size Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 06/23] netfilter: x_tables: add compat version of xt_check_entry_offsets Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 07/23] netfilter: x_tables: check standard target size too Pablo Neira Ayuso
2016-06-05 21:11 ` Andreas Schwab [this message]
2016-06-05 22:02 ` Florian Westphal
2016-06-06 11:20 ` Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 08/23] netfilter: x_tables: check for bogus target offset Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 09/23] netfilter: x_tables: validate all offsets and sizes in a rule Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 10/23] netfilter: ip_tables: simplify translate_compat_table args Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 11/23] netfilter: ip6_tables: " Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 12/23] netfilter: arp_tables: " Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 13/23] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 14/23] netfilter: x_tables: do compat validation via translate_table Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 15/23] netfilter: x_tables: remove obsolete overflow check for compat case too Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 16/23] netfilter: x_tables: remove obsolete check Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 17/23] netfilter: x_tables: introduce and use xt_copy_counters_from_user Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 18/23] netfilter: ctnetlink: remove unnecessary inlining Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 19/23] netfilter: connlabels: move helpers to xt_connlabel Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 20/23] netfilter: labels: don't emit ct event if labels were not changed Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 21/23] netfilter: connlabels: change nf_connlabels_get bit arg to 'highest used' Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 22/23] netfilter: ctnetlink: restore inlining for netlink message size calculation Pablo Neira Ayuso
2016-04-22 13:39 ` [PATCH 23/23] netfilter: conntrack: don't acquire lock during seq_printf Pablo Neira Ayuso
2016-04-24 4:26 ` [PATCH 00/23] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760tn5ojb.fsf@linux-m68k.org \
--to=schwab@linux-m68k.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.