[nf-next PATCH] netfilter: nft_exthdr: Fix for unsafe packet data read

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [nf-next PATCH] netfilter: nft_exthdr: Fix for unsafe packet data read
@ 2021-06-08  8:51 Phil Sutter
  2021-06-08  9:14 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2021-06-08  8:51 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal

While iterating through an SCTP packet's chunks, skb_header_pointer() is
called for the minimum expected chunk header size. If (that part of) the
skbuff is non-linear, the following memcpy() may read data past
temporary buffer '_sch'. Use skb_copy_bits() instead which does the
right thing in this situation.

Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 net/netfilter/nft_exthdr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 1b0579cb62d08..2b976687510d8 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -327,7 +327,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
 				break;
 
 			dest[priv->len / NFT_REG32_SIZE] = 0;
-			memcpy(dest, (char *)sch + priv->offset, priv->len);
+			skb_copy_bits(pkt->skb, offset + priv->offset,
+				      dest, priv->len);
 			return;
 		}
 		offset += SCTP_PAD4(ntohs(sch->length));
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [nf-next PATCH] netfilter: nft_exthdr: Fix for unsafe packet data read
  2021-06-08  8:51 [nf-next PATCH] netfilter: nft_exthdr: Fix for unsafe packet data read Phil Sutter
@ 2021-06-08  9:14 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2021-06-08  9:14 UTC (permalink / raw)
  To: Phil Sutter; +Cc: Pablo Neira Ayuso, netfilter-devel, Florian Westphal

Phil Sutter <phil@nwl.cc> wrote:
> While iterating through an SCTP packet's chunks, skb_header_pointer() is
> called for the minimum expected chunk header size. If (that part of) the
> skbuff is non-linear, the following memcpy() may read data past
> temporary buffer '_sch'. Use skb_copy_bits() instead which does the
> right thing in this situation.
> 
> Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
> Suggested-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  net/netfilter/nft_exthdr.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 1b0579cb62d08..2b976687510d8 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -327,7 +327,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
>  				break;
>  
>  			dest[priv->len / NFT_REG32_SIZE] = 0;
> -			memcpy(dest, (char *)sch + priv->offset, priv->len);
> +			skb_copy_bits(pkt->skb, offset + priv->offset,
> +				      dest, priv->len);

can you 'goto err' when this fails just like other callers in the same
file?

Thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-06-08  9:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-08  8:51 [nf-next PATCH] netfilter: nft_exthdr: Fix for unsafe packet data read Phil Sutter
2021-06-08  9:14 ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).