From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5468B2BD11; Mon, 20 Apr 2026 16:08:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776701330; cv=none; b=uQ2LgKhGlFMqeeEd5XAyD3Md1NkkH2EFXdidiFn9gSzmHa6D4wazhCuRuaMt2HPkfsUBrgibYtOYnxYtMByHCWvbChg69BuuNcAkbt7lMUEr5Y6sTCvrJEQt1d7q/2dMuZj0fLPk9pnUCqModH1j5Hzgeq3rp9KKOnt+n6lxfvw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776701330; c=relaxed/simple; bh=xC2Vp8swGJ+pCMQGh1uril0NvXD19PotE9D6EL80ZGk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XOnxKgh1CgpEeKgSq9oZ7nBnqeGZxWrtsE0m4Xf/yl9swbnrPMZMkzXd5pizu2VTWoRXlAfTUusay+QnWbETlMLrxXAaZ8MBvPlBbBie1Ec2Mp+hgAFT/eOXWuQiYuO+DcAzWhYyUkvubXMMYomYT2e1/ZcvPRjD+zMFhFTpz4Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=A0tLOTMN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="A0tLOTMN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1CC0C19425; Mon, 20 Apr 2026 16:08:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776701330; bh=xC2Vp8swGJ+pCMQGh1uril0NvXD19PotE9D6EL80ZGk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A0tLOTMNIXZqMkY5QHfU8EK1Ofg8nT5/mBM1SsQK34GzeKtLZAFELg00tDCzM9OV9 RScu1LcLLpeNnnTPeo8QuslmA+oOOxIIOX2+/UMwFpnF3hFDLL9MzS99ATH1ewkRwB 8dAgzxIEePuCDeHH6rb/nMLvva6I1FjuKjrgLD0s= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Yuhang Zheng , Ren Wei , Florian Westphal , Sasha Levin Subject: [PATCH 6.12 071/162] netfilter: xt_multiport: validate range encoding in checkentry Date: Mon, 20 Apr 2026 17:41:43 +0200 Message-ID: <20260420153929.608295142@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420153927.006696811@linuxfoundation.org> References: <20260420153927.006696811@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ren Wei [ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, leaving ports_match_v1() to step past the last valid ports[] element while interpreting the rule. Reject malformed multiport v1 rules in checkentry by validating that each range start has a following element and that the following element is not itself marked as another range start. Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Yuhang Zheng Signed-off-by: Ren Wei Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin --- net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c index 44a00f5acde8a..a1691ff405d3c 100644 --- a/net/netfilter/xt_multiport.c +++ b/net/netfilter/xt_multiport.c @@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); } +static bool +multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) +{ + unsigned int i; + + for (i = 0; i < multiinfo->count; i++) { + if (!multiinfo->pflags[i]) + continue; + + if (++i >= multiinfo->count) + return false; + + if (multiinfo->pflags[i]) + return false; + + if (multiinfo->ports[i - 1] > multiinfo->ports[i]) + return false; + } + + return true; +} + static inline bool check(u_int16_t proto, u_int8_t ip_invflags, @@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) const struct ipt_ip *ip = par->entryinfo; const struct xt_multiport_v1 *multiinfo = par->matchinfo; - return check(ip->proto, ip->invflags, multiinfo->flags, - multiinfo->count) ? 0 : -EINVAL; + if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) + return -EINVAL; + + return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; } static int multiport_mt6_check(const struct xt_mtchk_param *par) @@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) const struct ip6t_ip6 *ip = par->entryinfo; const struct xt_multiport_v1 *multiinfo = par->matchinfo; - return check(ip->proto, ip->invflags, multiinfo->flags, - multiinfo->count) ? 0 : -EINVAL; + if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) + return -EINVAL; + + return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; } static struct xt_match multiport_mt_reg[] __read_mostly = { -- 2.53.0