From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
David Miller <davem@davemloft.net>,
bunk@stusta.de, Al Viro <viro@zeniv.linux.org.uk>
Subject: [patch 05/24] EBTABLES: Prevent wraparounds in checks for entry components sizes.
Date: Thu, 14 Dec 2006 17:33:42 -0800 [thread overview]
Message-ID: <20061215013532.501879000@sous-sol.org> (raw)
In-Reply-To: 20061215013337.823935000@sous-sol.org
[-- Attachment #1: ebtables-prevent-wraparounds-in-checks-for-entry-components-sizes.patch --]
[-- Type: text/plain, Size: 2518 bytes --]
2.6.18-stable review patch. If anyone has any objections, please let us know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
---
net/bridge/netfilter/ebtables.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- linux-2.6.18.5.orig/net/bridge/netfilter/ebtables.c
+++ linux-2.6.18.5/net/bridge/netfilter/ebtables.c
@@ -360,10 +360,11 @@ ebt_check_match(struct ebt_entry_match *
const char *name, unsigned int hookmask, unsigned int *cnt)
{
struct ebt_match *match;
+ size_t left = ((char *)e + e->watchers_offset) - (char *)m;
int ret;
- if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
- ((char *)e) + e->watchers_offset)
+ if (left < sizeof(struct ebt_entry_match) ||
+ left - sizeof(struct ebt_entry_match) < m->match_size)
return -EINVAL;
match = find_match_lock(m->u.name, &ret, &ebt_mutex);
if (!match)
@@ -389,10 +390,11 @@ ebt_check_watcher(struct ebt_entry_watch
const char *name, unsigned int hookmask, unsigned int *cnt)
{
struct ebt_watcher *watcher;
+ size_t left = ((char *)e + e->target_offset) - (char *)w;
int ret;
- if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
- ((char *)e) + e->target_offset)
+ if (left < sizeof(struct ebt_entry_watcher) ||
+ left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
return -EINVAL;
watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
if (!watcher)
@@ -595,6 +597,7 @@ ebt_check_entry(struct ebt_entry *e, str
struct ebt_entry_target *t;
struct ebt_target *target;
unsigned int i, j, hook = 0, hookmask = 0;
+ size_t gap = e->next_offset - e->target_offset;
int ret;
/* don't mess with the struct ebt_entries */
@@ -656,8 +659,7 @@ ebt_check_entry(struct ebt_entry *e, str
t->u.target = target;
if (t->u.target == &ebt_standard_target) {
- if (e->target_offset + sizeof(struct ebt_standard_target) >
- e->next_offset) {
+ if (gap < sizeof(struct ebt_standard_target)) {
BUGPRINT("Standard target size too big\n");
ret = -EFAULT;
goto cleanup_watchers;
@@ -668,8 +670,7 @@ ebt_check_entry(struct ebt_entry *e, str
ret = -EFAULT;
goto cleanup_watchers;
}
- } else if ((e->target_offset + t->target_size +
- sizeof(struct ebt_entry_target) > e->next_offset) ||
+ } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
(t->u.target->check &&
t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
module_put(t->u.target->me);
--
next prev parent reply other threads:[~2006-12-15 1:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-15 1:33 [patch 00/24] -stable review Chris Wright
2006-12-15 1:33 ` [patch 01/24] softmac: remove netif_tx_disable when scanning Chris Wright
2006-12-15 1:33 ` [patch 02/24] EBTABLES: Fix wraparounds in ebt_entries verification Chris Wright
2006-12-15 1:33 ` [patch 03/24] EBTABLES: Verify that ebt_entries have zero ->distinguisher Chris Wright
2006-12-15 1:33 ` [patch 04/24] EBTABLES: Deal with the worst-case behaviour in loop checks Chris Wright
2006-12-15 1:33 ` Chris Wright [this message]
2006-12-15 1:33 ` [patch 06/24] NET_SCHED: policer: restore compatibility with old iproute binaries Chris Wright
2006-12-15 1:33 ` [patch 07/24] dm crypt: Fix data corruption with dm-crypt over RAID5 Chris Wright
2006-12-15 1:33 ` [patch 08/24] NETFILTER: ip_tables: revision support for compat code Chris Wright
2006-12-15 1:33 ` [patch 09/24] PKT_SCHED act_gact: division by zero Chris Wright
2006-12-15 1:33 ` [patch 10/24] SUNHME: Fix for sunhme failures on x86 Chris Wright
2006-12-15 1:33 ` [patch 11/24] XFRM: Use output device disable_xfrm for forwarded packets Chris Wright
2006-12-15 1:33 ` [patch 12/24] dm snapshot: fix freeing pending exception Chris Wright
2006-12-15 1:33 ` [patch 13/24] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries Chris Wright
2006-12-15 1:33 ` [patch 14/24] IrDA: Incorrect TTP header reservation Chris Wright
2006-12-15 1:33 ` [patch 15/24] bonding: incorrect bonding state reported via ioctl Chris Wright
2006-12-15 1:33 ` [patch 16/24] DVB: lgdt330x: fix signal / lock status detection bug Chris Wright
2006-12-15 1:33 ` [patch 17/24] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support Chris Wright
2006-12-15 1:33 ` [patch 18/24] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe Chris Wright
2006-12-15 1:33 ` [patch 19/24] ARM: Add sys_*at syscalls Chris Wright
2006-12-15 1:33 ` [patch 20/24] skip data conversion in compat_sys_mount when data_page is NULL Chris Wright
2006-12-15 1:33 ` [patch 21/24] softirq: remove BUG_ONs which can incorrectly trigger Chris Wright
2006-12-15 1:33 ` [patch 22/24] m32r: make userspace headers platform-independent Chris Wright
2006-12-15 1:34 ` [patch 23/24] forcedeth: Disable INTx when enabling MSI in forcedeth Chris Wright
2006-12-15 1:34 ` [patch 24/24] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106) Chris Wright
2006-12-15 1:37 ` [patch 00/24] -stable review Chris Wright
2006-12-15 18:20 ` [patch 25/24] x86-64: Mark rdtsc as sync only for netburst, not for core2 Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061215013532.501879000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox