[PATCH] netfilter: nft_compat: check match/targetinfo attr size

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: nft_compat: check match/targetinfo attr size
@ 2016-03-08 23:04 Florian Westphal
  2016-03-10 16:47 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2016-03-08 23:04 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

We copy accoring to ->target|matchsize, so check that the netlink attribute
(which can include padding and might be larger) contains enough data.

Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nft_compat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 454841b..6228c42 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -660,6 +660,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
 	if (IS_ERR(match))
 		return ERR_PTR(-ENOENT);
 
+	if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO]))
+		return ERR_PTR(-EINVAL);
+
 	/* This is the first time we use this match, allocate operations */
 	nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
 	if (nft_match == NULL)
@@ -740,6 +743,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
 	if (IS_ERR(target))
 		return ERR_PTR(-ENOENT);
 
+	if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO]))
+		return ERR_PTR(-EINVAL);
+
 	/* This is the first time we use this target, allocate operations */
 	nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
 	if (nft_target == NULL)
-- 
2.4.10


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: nft_compat: check match/targetinfo attr size
  2016-03-08 23:04 [PATCH] netfilter: nft_compat: check match/targetinfo attr size Florian Westphal
@ 2016-03-10 16:47 ` Pablo Neira Ayuso
  2016-03-10 17:00   ` Florian Westphal
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-10 16:47 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> We copy accoring to ->target|matchsize, so check that the netlink attribute
> (which can include padding and might be larger) contains enough data.
> 
> Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
> Signed-off-by: Florian Westphal <fw@strlen.de>

I think xt_check_match() and xt_check_target() already validate this
for us.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: nft_compat: check match/targetinfo attr size
  2016-03-10 16:47 ` Pablo Neira Ayuso
@ 2016-03-10 17:00   ` Florian Westphal
  2016-03-10 17:16     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2016-03-10 17:00 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> > We copy accoring to ->target|matchsize, so check that the netlink attribute
> > (which can include padding and might be larger) contains enough data.
> > 
> > Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> 
> I think xt_check_match() and xt_check_target() already validate this
> for us.

But AFAICS we copy before this:

nft_target_init:

size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
...
target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
   -> memcpy(out, in, t->targetsize);

xt_check_target(&par, size, proto, inv);  // checks size vs. targetsize

'target' is sized based on target->targetsize in
nft_target_select_ops().

So if tb[NFTA_TARGET_INFO] is != t->targetsize we might copy more
data than whats in 'in', no?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfilter: nft_compat: check match/targetinfo attr size
  2016-03-10 17:00   ` Florian Westphal
@ 2016-03-10 17:16     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-10 17:16 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Thu, Mar 10, 2016 at 06:00:01PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> > > We copy accoring to ->target|matchsize, so check that the netlink attribute
> > > (which can include padding and might be larger) contains enough data.
> > > 
> > > Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
> > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > 
> > I think xt_check_match() and xt_check_target() already validate this
> > for us.
> 
> But AFAICS we copy before this:
> 
> nft_target_init:
> 
> size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
> ...
> target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
>    -> memcpy(out, in, t->targetsize);
> 
> xt_check_target(&par, size, proto, inv);  // checks size vs. targetsize
> 
> 'target' is sized based on target->targetsize in
> nft_target_select_ops().
> 
> So if tb[NFTA_TARGET_INFO] is != t->targetsize we might copy more
> data than whats in 'in', no?

Right, if the user passes less information, then we would be copying
more than what we have.

I'm going to place this in the nf-next, thanks Florian.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-03-10 17:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-08 23:04 [PATCH] netfilter: nft_compat: check match/targetinfo attr size Florian Westphal
2016-03-10 16:47 ` Pablo Neira Ayuso
2016-03-10 17:00   ` Florian Westphal
2016-03-10 17:16     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).