From: Daniel Borkmann <daniel@iogearbox.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length
Date: Tue, 08 Mar 2016 21:26:59 +0100 [thread overview]
Message-ID: <56DF3593.7020507@iogearbox.net> (raw)
In-Reply-To: <1457466260-20373-2-git-send-email-kadlec@blackhole.kfki.hu>
Hi Jozsef,
On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote:
> Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
> was not checked explicitly, just for the maximum possible size. Malicious
> netlink clients could send shorter attribute and thus resulting a kernel
> read after the buffer.
>
> The patch adds the explicit length checkings.
>
> Reported-by: Julia Lawall <julia.lawall@lip6.fr>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> ---
> net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++
> net/netfilter/ipset/ip_set_hash_mac.c | 3 ++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> index 29dde20..9a065f6 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> @@ -267,6 +267,8 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
>
> e.id = ip_to_id(map, ip);
> if (tb[IPSET_ATTR_ETHER]) {
> + if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
> + return -IPSET_ERR_PROTOCOL;
Any reason to not just remove the 'NLA_BINARY' from the policy?
include/net/netlink.h +191:
* Meaning of `len' field:
[...]
* NLA_BINARY Maximum length of attribute payload
[...]
* All other Minimum length of attribute payload
validate_nla() will just do the right thing and check for minlen.
Thanks,
Daniel
> memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
> e.add_mac = 1;
> }
> diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c
> index f1e7d2c..8f004ed 100644
> --- a/net/netfilter/ipset/ip_set_hash_mac.c
> +++ b/net/netfilter/ipset/ip_set_hash_mac.c
> @@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[],
> if (tb[IPSET_ATTR_LINENO])
> *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>
> - if (unlikely(!tb[IPSET_ATTR_ETHER]))
> + if (unlikely(!tb[IPSET_ATTR_ETHER] ||
> + nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN))
> return -IPSET_ERR_PROTOCOL;
>
> ret = ip_set_get_extensions(set, tb, &ext);
>
next prev parent reply other threads:[~2016-03-08 20:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 19:44 [PATCH 0/1] ipset patch for nf Jozsef Kadlecsik
2016-03-08 19:44 ` [PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length Jozsef Kadlecsik
2016-03-08 20:26 ` Daniel Borkmann [this message]
2016-03-08 21:46 ` Jozsef Kadlecsik
2016-03-10 18:28 ` [PATCH 0/1] ipset patch for nf Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DF3593.7020507@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).