* [PATCH 0/5] Check u32 load in u8 attributes
@ 2016-08-10 15:29 Laura Garcia Liebana
2016-08-10 15:30 ` [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute Laura Garcia Liebana
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:29 UTC (permalink / raw)
To: netfilter-devel
The following patchset adds a check during the load of an u32 value
into an u8 attribute which can cause an overflow.
Laura Garcia Liebana (5):
netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute
netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute
netfilter: nf_tables: Check u32 load in u8 nft_nat attribute
net/netfilter/nft_bitwise.c | 7 ++++++-
net/netfilter/nft_byteorder.c | 13 +++++++++++--
net/netfilter/nft_cmp.c | 5 ++++-
net/netfilter/nft_immediate.c | 3 +++
net/netfilter/nft_nat.c | 2 ++
5 files changed, 26 insertions(+), 4 deletions(-)
--
2.8.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
@ 2016-08-10 15:30 ` Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 2/5] netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute Laura Garcia Liebana
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:30 UTC (permalink / raw)
To: netfilter-devel
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
net/netfilter/nft_bitwise.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d71cc18..2c49f69 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -53,6 +53,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
struct nft_bitwise *priv = nft_expr_priv(expr);
struct nft_data_desc d1, d2;
int err;
+ u32 len;
if (tb[NFTA_BITWISE_SREG] == NULL ||
tb[NFTA_BITWISE_DREG] == NULL ||
@@ -61,7 +62,11 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
tb[NFTA_BITWISE_XOR] == NULL)
return -EINVAL;
- priv->len = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+ len = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+ if (len > U8_MAX)
+ return -EINVAL;
+ priv->len = len;
+
priv->sreg = nft_parse_register(tb[NFTA_BITWISE_SREG]);
err = nft_validate_register_load(priv->sreg, priv->len);
if (err < 0)
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
2016-08-10 15:30 ` [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute Laura Garcia Liebana
@ 2016-08-10 15:31 ` Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute Laura Garcia Liebana
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:31 UTC (permalink / raw)
To: netfilter-devel
Fix the direct assignment from u32 data input into the len and size
attributes with a size of u8.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
net/netfilter/nft_byteorder.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index b78c28b..fdd23d5 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -100,6 +100,7 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
{
struct nft_byteorder *priv = nft_expr_priv(expr);
int err;
+ u32 len, size;
if (tb[NFTA_BYTEORDER_SREG] == NULL ||
tb[NFTA_BYTEORDER_DREG] == NULL ||
@@ -117,7 +118,10 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
return -EINVAL;
}
- priv->size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+ size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+ if (size > U8_MAX)
+ return -EINVAL;
+ priv->size = size;
switch (priv->size) {
case 2:
case 4:
@@ -128,7 +132,12 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
}
priv->sreg = nft_parse_register(tb[NFTA_BYTEORDER_SREG]);
- priv->len = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+
+ len = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+ if (len > U8_MAX)
+ return -EINVAL;
+ priv->len = len;
+
err = nft_validate_register_load(priv->sreg, priv->len);
if (err < 0)
return err;
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
2016-08-10 15:30 ` [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 2/5] netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute Laura Garcia Liebana
@ 2016-08-10 15:31 ` Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute Laura Garcia Liebana
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:31 UTC (permalink / raw)
To: netfilter-devel
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
net/netfilter/nft_cmp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index e25b35d..ca247e5 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -84,8 +84,11 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (err < 0)
return err;
- priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+ if (desc.len > U8_MAX)
+ return -EINVAL;
priv->len = desc.len;
+ priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+
return 0;
}
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
` (2 preceding siblings ...)
2016-08-10 15:31 ` [PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute Laura Garcia Liebana
@ 2016-08-10 15:31 ` Laura Garcia Liebana
2016-08-10 15:32 ` [PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute Laura Garcia Liebana
2016-08-11 23:36 ` [PATCH 0/5] Check u32 load in u8 attributes Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:31 UTC (permalink / raw)
To: netfilter-devel
Fix the direct assignment from u32 data input into the dlen attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
net/netfilter/nft_immediate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index db3b746..6de590c 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -53,6 +53,9 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
tb[NFTA_IMMEDIATE_DATA]);
if (err < 0)
return err;
+
+ if (desc.len > U8_MAX)
+ return -EINVAL;
priv->dlen = desc.len;
priv->dreg = nft_parse_register(tb[NFTA_IMMEDIATE_DREG]);
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
` (3 preceding siblings ...)
2016-08-10 15:31 ` [PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute Laura Garcia Liebana
@ 2016-08-10 15:32 ` Laura Garcia Liebana
2016-08-11 23:36 ` [PATCH 0/5] Check u32 load in u8 attributes Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Laura Garcia Liebana @ 2016-08-10 15:32 UTC (permalink / raw)
To: netfilter-devel
Fix the direct assignment from u32 data input into the family
attribute with a size of u8.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
net/netfilter/nft_nat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index ee2d717..74f8293 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -148,6 +148,8 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
if (family != ctx->afi->family)
return -EOPNOTSUPP;
+ if (family > U8_MAX)
+ return -EINVAL;
switch (family) {
case NFPROTO_IPV4:
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] Check u32 load in u8 attributes
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
` (4 preceding siblings ...)
2016-08-10 15:32 ` [PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute Laura Garcia Liebana
@ 2016-08-11 23:36 ` Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-11 23:36 UTC (permalink / raw)
To: Laura Garcia Liebana; +Cc: netfilter-devel
On Wed, Aug 10, 2016 at 05:29:34PM +0200, Laura Garcia Liebana wrote:
> The following patchset adds a check during the load of an u32 value
> into an u8 attribute which can cause an overflow.
Could you collapse them all in one single patch?
You can probably use this title:
netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes
And explicitly refer to 4da449ae1df in the description to link it to
this one.
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-08-11 23:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-10 15:29 [PATCH 0/5] Check u32 load in u8 attributes Laura Garcia Liebana
2016-08-10 15:30 ` [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 2/5] netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute Laura Garcia Liebana
2016-08-10 15:31 ` [PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute Laura Garcia Liebana
2016-08-10 15:32 ` [PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute Laura Garcia Liebana
2016-08-11 23:36 ` [PATCH 0/5] Check u32 load in u8 attributes Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.