[PATCH 08/47] netfilter: x_tables: check error target size too

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 08/47] netfilter: x_tables: check error target size too
Date: Fri, 30 Mar 2018 13:36:50 +0200	[thread overview]
Message-ID: <20180330113729.18335-9-pablo@netfilter.org> (raw)
In-Reply-To: <20180330113729.18335-1-pablo@netfilter.org>

From: Florian Westphal <fw@strlen.de>

Check that userspace ERROR target (custom user-defined chains) match
expected format, and the chain name is null terminated.

This is irrelevant for kernel, but iptables itself relies on sane input
when it dumps rules from kernel.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/x_tables.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2e4d423e58e6..f045bb4f7063 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -654,6 +654,11 @@ struct compat_xt_standard_target {
 	compat_uint_t verdict;
 };
 
+struct compat_xt_error_target {
+	struct compat_xt_entry_target t;
+	char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
 static bool verdict_ok(int verdict)
 {
 	if (verdict > 0)
@@ -679,6 +684,12 @@ static bool verdict_ok(int verdict)
 	return false;
 }
 
+static bool error_tg_ok(unsigned int usersize, unsigned int kernsize,
+			const char *msg, unsigned int msglen)
+{
+	return usersize == kernsize && strnlen(msg, msglen) < msglen;
+}
+
 int xt_compat_check_entry_offsets(const void *base, const char *elems,
 				  unsigned int target_offset,
 				  unsigned int next_offset)
@@ -708,6 +719,12 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,
 
 		if (!verdict_ok(st->verdict))
 			return -EINVAL;
+	} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
+		const struct compat_xt_error_target *et = (const void *)t;
+
+		if (!error_tg_ok(t->u.target_size, sizeof(*et),
+				 et->errorname, sizeof(et->errorname)))
+			return -EINVAL;
 	}
 
 	/* compat_xt_entry match has less strict alignment requirements,
@@ -796,6 +813,12 @@ int xt_check_entry_offsets(const void *base,
 
 		if (!verdict_ok(st->verdict))
 			return -EINVAL;
+	} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
+		const struct xt_error_target *et = (const void *)t;
+
+		if (!error_tg_ok(t->u.target_size, sizeof(*et),
+				 et->errorname, sizeof(et->errorname)))
+			return -EINVAL;
 	}
 
 	return xt_check_entry_match(elems, base + target_offset,
-- 
2.11.0

next prev parent reply	other threads:[~2018-03-30 11:36 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-30 11:36 [PATCH 00/47] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 01/47] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 02/47] netfilter: nfnetlink_acct: remove useless parameter Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 03/47] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 04/47] netfilter: nf_conntrack_broadcast: remove useless parameter Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 05/47] netfilter: ipt_ah: return boolean instead of integer Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 06/47] netfilter: unlock xt_table earlier in __do_replace Pablo Neira Ayuso
2018-03-30 11:36 ` [PATCH 07/47] netfilter: x_tables: check standard verdicts in core Pablo Neira Ayuso
2018-03-30 11:36 ` Pablo Neira Ayuso [this message]
2018-03-30 11:36 ` [PATCH 09/47] netfilter: x_tables: move hook entry checks into core Pablo Neira Ayuso
2018-03-30 15:43 ` [PATCH 00/47] Netfilter/IPVS updates for net-next David Miller
2018-04-03  6:13 ` Rafał Miłecki
2018-04-03 10:19   ` Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2e4d423e58e dfblob:f045bb4f706 )
 OR (
bs:"[PATCH 08/47] netfilter: x_tables: check error target size too" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180330113729.18335-9-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).