On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote: > Ben Hawkes says: > > In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it > is possible for a user-supplied ipt_entry structure to have a large > next_offset field. This field is not bounds checked prior to writing a > counter value at the supplied offset. > > Problem is that xt_entry_foreach() macro stops iterating once e->next_offset > is out of bounds, assuming this is the last entry. > > With malformed data thats not necessarily the case so we can > write outside of allocated area later as we might not have walked the > entire blob. > > Fix this by simplifying mark_source_chains -- it already has to check > if nextoff is in range to catch invalid jumps, so just do the check > when we move to a next entry as well. Thanks for posting this patch so fast Florian. It's sad that Ben didn't even take the time to reach the people that the MAINTAINERS file shows in first place *sigh*. I'll place this in nf-next together with remaining pending fixes, it seems we'll have 4.5 just after this -rc7 so I don't think we'll get there in time for this. I'll pass this to -stable once this hits master, these patches apply cleanly to every kernel starting 3.2. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html