From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
Xin Long <lucien.xin@gmail.com>, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 16/95] netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
Date: Mon, 25 Oct 2021 21:14:13 +0200 [thread overview]
Message-ID: <20211025190959.263826408@linuxfoundation.org> (raw)
In-Reply-To: <20211025190956.374447057@linuxfoundation.org>
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit a482c5e00a9b5a194085bcd372ac36141028becb ]
In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer()
only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to.
The access by ((const struct rt0_hdr *)rh)->reserved will overflow
the buffer. So this access should be moved below the 2nd call to
skb_header_pointer().
Besides, after the 2nd skb_header_pointer(), its return value should
also be checked, othersize, *rp may cause null-pointer-ref.
v1->v2:
- clean up some old debugging log.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/ip6t_rt.c | 48 +++++-------------------------------
1 file changed, 6 insertions(+), 42 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 733c83d38b30..4ad8b2032f1f 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -25,12 +25,7 @@ MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static inline bool
segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
{
- bool r;
- pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",
- invert ? '!' : ' ', min, id, max);
- r = (id >= min && id <= max) ^ invert;
- pr_debug(" result %s\n", r ? "PASS" : "FAILED");
- return r;
+ return (id >= min && id <= max) ^ invert;
}
static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
@@ -65,30 +60,6 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
return false;
}
- pr_debug("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen);
- pr_debug("TYPE %04X ", rh->type);
- pr_debug("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left);
-
- pr_debug("IPv6 RT segsleft %02X ",
- segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
- rh->segments_left,
- !!(rtinfo->invflags & IP6T_RT_INV_SGS)));
- pr_debug("type %02X %02X %02X ",
- rtinfo->rt_type, rh->type,
- (!(rtinfo->flags & IP6T_RT_TYP) ||
- ((rtinfo->rt_type == rh->type) ^
- !!(rtinfo->invflags & IP6T_RT_INV_TYP))));
- pr_debug("len %02X %04X %02X ",
- rtinfo->hdrlen, hdrlen,
- !(rtinfo->flags & IP6T_RT_LEN) ||
- ((rtinfo->hdrlen == hdrlen) ^
- !!(rtinfo->invflags & IP6T_RT_INV_LEN)));
- pr_debug("res %02X %02X %02X ",
- rtinfo->flags & IP6T_RT_RES,
- ((const struct rt0_hdr *)rh)->reserved,
- !((rtinfo->flags & IP6T_RT_RES) &&
- (((const struct rt0_hdr *)rh)->reserved)));
-
ret = (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
rh->segments_left,
!!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&
@@ -107,22 +78,22 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
reserved),
sizeof(_reserved),
&_reserved);
+ if (!rp) {
+ par->hotdrop = true;
+ return false;
+ }
ret = (*rp == 0);
}
- pr_debug("#%d ", rtinfo->addrnr);
if (!(rtinfo->flags & IP6T_RT_FST)) {
return ret;
} else if (rtinfo->flags & IP6T_RT_FST_NSTRICT) {
- pr_debug("Not strict ");
if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) {
- pr_debug("There isn't enough space\n");
return false;
} else {
unsigned int i = 0;
- pr_debug("#%d ", rtinfo->addrnr);
for (temp = 0;
temp < (unsigned int)((hdrlen - 8) / 16);
temp++) {
@@ -138,26 +109,20 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
return false;
}
- if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) {
- pr_debug("i=%d temp=%d;\n", i, temp);
+ if (ipv6_addr_equal(ap, &rtinfo->addrs[i]))
i++;
- }
if (i == rtinfo->addrnr)
break;
}
- pr_debug("i=%d #%d\n", i, rtinfo->addrnr);
if (i == rtinfo->addrnr)
return ret;
else
return false;
}
} else {
- pr_debug("Strict ");
if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) {
- pr_debug("There isn't enough space\n");
return false;
} else {
- pr_debug("#%d ", rtinfo->addrnr);
for (temp = 0; temp < rtinfo->addrnr; temp++) {
ap = skb_header_pointer(skb,
ptr
@@ -173,7 +138,6 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
if (!ipv6_addr_equal(ap, &rtinfo->addrs[temp]))
break;
}
- pr_debug("temp=%d #%d\n", temp, rtinfo->addrnr);
if (temp == rtinfo->addrnr &&
temp == (unsigned int)((hdrlen - 8) / 16))
return ret;
--
2.33.0
next prev parent reply other threads:[~2021-10-25 19:34 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 19:13 [PATCH 5.10 00/95] 5.10.76-rc1 review Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 01/95] parisc: math-emu: Fix fall-through warnings Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 02/95] xhci: add quirk for host controllers that dont update endpoint DCS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 03/95] io_uring: fix splice_fd_in checks backport typo Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 04/95] arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 05/95] ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 06/95] block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 07/95] xen/x86: prevent PVH type from getting clobbered Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 08/95] drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 09/95] xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 10/95] xtensa: xtfpga: Try software restart before simulating CPU reset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 11/95] NFSD: Keep existing listeners on portlist error Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 12/95] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 13/95] dma-debug: fix sg checks in debug_dma_map_sg() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 14/95] ASoC: wm8960: Fix clock configuration on slave mode Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 15/95] ice: fix getting UDP tunnel entry Greg Kroah-Hartman
2021-10-25 19:14 ` Greg Kroah-Hartman [this message]
2021-10-25 19:14 ` [PATCH 5.10 17/95] netfilter: ipvs: make global sysctl readonly in non-init netns Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 18/95] lan78xx: select CRC32 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 19/95] tcp: md5: Fix overlap between vrf and non-vrf keys Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 20/95] ipv6: When forwarding count rx stats on the orig netdev Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 21/95] net: dsa: lantiq_gswip: fix register definition Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 22/95] NIOS2: irqflags: rename a redefined register name Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 23/95] powerpc/smp: do not decrement idle task preempt count in CPU offline Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 24/95] net: hns3: reset DWRR of unused tc to zero Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 25/95] net: hns3: add limit ets dwrr bandwidth cannot be 0 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 26/95] net: hns3: schedule the polling again when allocation fails Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 27/95] net: hns3: fix vf reset workqueue cannot exit Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 28/95] net: hns3: disable sriov before unload hclge layer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 29/95] net: stmmac: Fix E2E delay mechanism Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 30/95] e1000e: Fix packet loss on Tiger Lake and later Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 31/95] ice: Add missing E810 device ids Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 32/95] drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 33/95] net: enetc: fix ethtool counter name for PM0_TERR Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 34/95] can: rcar_can: fix suspend/resume Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 35/95] can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 36/95] can: peak_pci: peak_pci_remove(): fix UAF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 37/95] can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 38/95] can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 39/95] can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 40/95] can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 41/95] can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 42/95] can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 43/95] ceph: skip existing superblocks that are blocklisted or shut down when mounting Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 44/95] ceph: fix handling of "meta" errors Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 45/95] ocfs2: fix data corruption after conversion from inline format Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 46/95] ocfs2: mount fails with buffer overflow in strlen Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 47/95] userfaultfd: fix a race between writeprotect and exit_mmap() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 48/95] elfcore: correct reference to CONFIG_UML Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 49/95] vfs: check fd has read access in kernel_read_file_from_fd() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 50/95] ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 51/95] ALSA: hda/realtek: Add quirk for Clevo PC50HS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 52/95] ASoC: DAPM: Fix missing kctl change notifications Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 53/95] audit: fix possible null-pointer dereference in audit_filter_rules Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 54/95] net: dsa: mt7530: correct ds->num_ports Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 55/95] powerpc64/idle: Fix SP offsets when saving GPRs Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 56/95] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 57/95] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 58/95] powerpc/idle: Dont corrupt back chain when going idle Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 59/95] mm, slub: fix mismatch between reconstructed freelist depth and cnt Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 60/95] mm, slub: fix potential memoryleak in kmem_cache_open() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 61/95] mm, slub: fix incorrect memcg slab count for bulk free Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 62/95] KVM: nVMX: promptly process interrupts delivered while in guest mode Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 63/95] nfc: nci: fix the UAF of rf_conn_info object Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 64/95] isdn: cpai: check ctr->cnr to avoid array index out of bound Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 65/95] netfilter: Kconfig: use default y instead of m for bool config option Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 66/95] selftests: netfilter: remove stray bash debug line Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 67/95] net: bridge: mcast: use multicast_membership_interval for IGMPv3 Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 68/95] drm: mxsfb: Fix NULL pointer dereference crash on unload Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 69/95] net: hns3: fix the max tx size according to user manual Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 70/95] gcc-plugins/structleak: add makefile var for disabling structleak Greg Kroah-Hartman
2021-10-25 20:56 ` Pavel Machek
2021-10-25 21:07 ` Brendan Higgins
2021-10-25 21:40 ` Pavel Machek
2021-10-25 19:15 ` [PATCH 5.10 71/95] ALSA: hda: intel: Allow repeatedly probing on codec configuration errors Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 72/95] btrfs: deal with errors when checking if a dir entry exists during log replay Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 73/95] net: stmmac: add support for dwmac 3.40a Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 74/95] ARM: dts: spear3xx: Fix gmac node Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 75/95] isdn: mISDN: Fix sleeping function called from invalid context Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 76/95] platform/x86: intel_scu_ipc: Update timeout value in comment Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 77/95] ALSA: hda: avoid write to STATESTS if controller is in reset Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 78/95] libperf tests: Fix test_stat_cpu Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 79/95] perf/x86/msr: Add Sapphire Rapids CPU support Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 80/95] Input: snvs_pwrkey - add clk handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 81/95] scsi: iscsi: Fix set_param() handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 82/95] scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 83/95] sched/scs: Reset the shadow stack when idle_task_exit Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 84/95] net: hns3: fix for miscalculation of rx unused desc Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 85/95] scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 86/95] can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 87/95] s390/pci: fix zpci_zdev_put() on reserve Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 88/95] bpf, test, cgroup: Use sk_{alloc,free} for test cases Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 89/95] usbnet: sanity check for maxpacket Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 90/95] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 91/95] tracing: Have all levels of checks prevent recursion Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 92/95] e1000e: Separate TGP board type from SPT Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 93/95] selftests: bpf: fix backported ASSERT_FALSE Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 94/95] ARM: 9122/1: select HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 95/95] pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume() Greg Kroah-Hartman
2021-10-25 21:09 ` [PATCH 5.10 00/95] 5.10.76-rc1 review Florian Fainelli
2021-10-25 21:37 ` Pavel Machek
2021-10-26 0:59 ` Shuah Khan
2021-10-26 1:14 ` Fox Chen
2021-10-26 7:17 ` Naresh Kamboju
2021-10-26 9:16 ` Jon Hunter
2021-10-26 18:27 ` Sudip Mukherjee
2021-10-26 19:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025190959.263826408@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox