[PATCH nf 01/17] netfilter: x_tables: don't move to non-existent next rule

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf 01/17] netfilter: x_tables: don't move to non-existent next rule
Date: Fri,  1 Apr 2016 14:17:21 +0200	[thread overview]
Message-ID: <1459513057-30652-2-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1459513057-30652-1-git-send-email-fw@strlen.de>

Ben Hawkes says:

 In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
 is possible for a user-supplied ipt_entry structure to have a large
 next_offset field. This field is not bounds checked prior to writing a
 counter value at the supplied offset.

Base chains enforce absolute verdict.

User defined chains are supposed to end with an unconditional return,
xtables userspace adds them automatically.

But if such return is missing we will move to non-existent next rule.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/ipv4/netfilter/arp_tables.c | 8 +++++---
 net/ipv4/netfilter/ip_tables.c  | 4 ++++
 net/ipv6/netfilter/ip6_tables.c | 4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 4133b0f..82a434b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -439,6 +439,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
 				size = e->next_offset;
 				e = (struct arpt_entry *)
 					(entry0 + pos + size);
+				if (pos + size >= newinfo->size)
+					return 0;
 				e->counters.pcnt = pos;
 				pos += size;
 			} else {
@@ -461,6 +463,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
 				} else {
 					/* ... this is a fallthru */
 					newpos = pos + e->next_offset;
+					if (newpos >= newinfo->size)
+						return 0;
 				}
 				e = (struct arpt_entry *)
 					(entry0 + newpos);
@@ -691,10 +695,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
 		}
 	}
 
-	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
-		duprintf("Looping hook\n");
+	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
 		return -ELOOP;
-	}
 
 	/* Finally, each sanity check must pass */
 	i = 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 631c100..e301a3d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -520,6 +520,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
 				size = e->next_offset;
 				e = (struct ipt_entry *)
 					(entry0 + pos + size);
+				if (pos + size >= newinfo->size)
+					return 0;
 				e->counters.pcnt = pos;
 				pos += size;
 			} else {
@@ -541,6 +543,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
 				} else {
 					/* ... this is a fallthru */
 					newpos = pos + e->next_offset;
+					if (newpos >= newinfo->size)
+						return 0;
 				}
 				e = (struct ipt_entry *)
 					(entry0 + newpos);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 86b67b7..7b3335b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -532,6 +532,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
 				size = e->next_offset;
 				e = (struct ip6t_entry *)
 					(entry0 + pos + size);
+				if (pos + size >= newinfo->size)
+					return 0;
 				e->counters.pcnt = pos;
 				pos += size;
 			} else {
@@ -553,6 +555,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
 				} else {
 					/* ... this is a fallthru */
 					newpos = pos + e->next_offset;
+					if (newpos >= newinfo->size)
+						return 0;
 				}
 				e = (struct ip6t_entry *)
 					(entry0 + newpos);
-- 
2.7.3

next prev parent reply	other threads:[~2016-04-01 12:17 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-01 12:17 [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation Florian Westphal
2016-04-01 12:17 ` Florian Westphal [this message]
2016-04-01 12:17 ` [PATCH nf 02/17] netfilter: x_tables: validate targets of jumps Florian Westphal
2016-04-01 12:24   ` Jan Engelhardt
2016-04-01 12:17 ` [PATCH nf 03/17] netfilter: x_tables: add and use xt_check_entry_offsets Florian Westphal
2016-04-01 12:17 ` [PATCH nf 04/17] netfilter: x_tables: kill check_entry helper Florian Westphal
2016-04-01 12:17 ` [PATCH nf 05/17] netfilter: x_tables: assert minimum target size Florian Westphal
2016-04-01 12:17 ` [PATCH nf 06/17] netfilter: x_tables: add compat version of xt_check_entry_offsets Florian Westphal
2016-04-01 12:17 ` [PATCH nf 07/17] netfilter: x_tables: check standard target size too Florian Westphal
2016-04-01 12:17 ` [PATCH nf 08/17] netfilter: x_tables: check for bogus target offset Florian Westphal
2016-04-01 12:17 ` [PATCH nf 09/17] netfilter: x_tables: validate all offsets and sizes in a rule Florian Westphal
2016-04-01 12:17 ` [PATCH nf 10/17] netfilter: ip_tables: simplify translate_compat_table args Florian Westphal
2016-04-01 12:17 ` [PATCH nf 11/17] netfilter: ip6_tables: " Florian Westphal
2016-04-01 12:17 ` [PATCH nf 12/17] netfilter: arp_tables: " Florian Westphal
2016-04-01 12:17 ` [PATCH nf 13/17] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Florian Westphal
2016-04-01 12:17 ` [PATCH nf 14/17] netfilter: x_tables: do compat validation via translate_table Florian Westphal
2016-04-01 12:17 ` [PATCH nf 15/17] netfilter: x_tables: remove obsolete overflow check for compat case too Florian Westphal
2016-04-01 12:17 ` [PATCH nf 16/17] netfilter: x_tables: remove obsolete check Florian Westphal
2016-04-01 12:17 ` [PATCH nf 17/17] netfilter: x_tables: introduce and use xt_copy_counters_from_user Florian Westphal
2016-04-01 12:52   ` kbuild test robot
2016-04-01 13:06   ` kbuild test robot
2016-04-01 13:33   ` kbuild test robot
2016-04-01 13:37 ` [PATCH v2 " Florian Westphal
2016-04-08 11:58 ` [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation Pablo Neira Ayuso
2016-04-08 11:59   ` Florian Westphal
2016-04-12 21:54     ` Pablo Neira Ayuso
2016-04-13 22:33 ` Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4133b0f dfblob:82a434b dfblob:631c100 dfblob:e301a3d
dfblob:86b67b7 dfblob:7b3335b )
 OR (
bs:"[PATCH nf 01/17] netfilter: x_tables: don't move to non-existent next rule" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1459513057-30652-2-git-send-email-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).