From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 542BCC43381 for ; Thu, 21 Feb 2019 14:41:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1B74A20838 for ; Thu, 21 Feb 2019 14:41:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550760109; bh=fNMlzt4hnFEW1j79YExsd84lQRBpgDJez+qDVXvi5JY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=IrshDbSxqOHyM5LvZ1wR7vem/BDul1cJSLCkPea8VXNG0TMCjH0ShrSO6f7QX87xd ZWdOyBQ/C3XaEEbcgYLsLLCyoBabx5/BcM4K+ykuXGIun65rg0dq8J7ufZCzBtvy19 D9U550McYHURv7TVm6uQyY0cKS+Ddh+nLqIF5D/I= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729396AbfBUOls (ORCPT ); Thu, 21 Feb 2019 09:41:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:36976 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729386AbfBUOlo (ORCPT ); Thu, 21 Feb 2019 09:41:44 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9ABD820838; Thu, 21 Feb 2019 14:41:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550760104; bh=fNMlzt4hnFEW1j79YExsd84lQRBpgDJez+qDVXvi5JY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rDnCroR/IXLlomuZuUsP9vLBtuKxyyu9hVU7iXuvjksr23M41HpMPEvPgwjfwni6g ipvGQCYYMbtqQOFlE52XtYw/l/5pnDS/+T+2ayC4t+TSCUCTZ+xPB1usPiWvme0c8r FuHXc/8UEIgJF9UiZLk8Ri7FDVgo6EnacuHq4jv4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Pablo Neira Ayuso Subject: [PATCH 4.19 27/30] netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs Date: Thu, 21 Feb 2019 15:36:09 +0100 Message-Id: <20190221125252.116047407@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190221125250.543158526@linuxfoundation.org> References: <20190221125250.543158526@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc upstream. The generic ASN.1 decoder infrastructure doesn't guarantee that callbacks will get as much data as they expect; callbacks have to check the `datalen` parameter before looking at `data`. Make sure that snmp_version() and snmp_helper() don't read/write beyond the end of the packet data. (Also move the assignment to `pdata` down below the check to make it clear that it isn't necessarily a pointer we can use before the `datalen` check.) Fixes: cc2d58634e0f ("netfilter: nf_nat_snmp_basic: use asn1 decoder library") Signed-off-by: Jann Horn Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c @@ -104,6 +104,8 @@ static void fast_csum(struct snmp_ctx *c int snmp_version(void *context, size_t hdrlen, unsigned char tag, const void *data, size_t datalen) { + if (datalen != 1) + return -EINVAL; if (*(unsigned char *)data > 1) return -ENOTSUPP; return 1; @@ -113,8 +115,11 @@ int snmp_helper(void *context, size_t hd const void *data, size_t datalen) { struct snmp_ctx *ctx = (struct snmp_ctx *)context; - __be32 *pdata = (__be32 *)data; + __be32 *pdata; + if (datalen != 4) + return -EINVAL; + pdata = (__be32 *)data; if (*pdata == ctx->from) { pr_debug("%s: %pI4 to %pI4\n", __func__, (void *)&ctx->from, (void *)&ctx->to);