On Thu, Mar 10, 2016 at 03:12:31PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote:
> > Ben Hawkes says:
> >
> > In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
> > is possible for a user-supplied ipt_entry structure to have a large
> > next_offset field. This field is not bounds checked prior to writing a
> > counter value at the supplied offset.
> >
> > Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
> > is out of bounds, assuming this is the last entry.
> >
> > With malformed data thats not necessarily the case so we can
> > write outside of allocated area later as we might not have walked the
> > entire blob.
> >
> > Fix this by simplifying mark_source_chains -- it already has to check
> > if nextoff is in range to catch invalid jumps, so just do the check
> > when we move to a next entry as well.
...
> I'll place this in nf-next together with remaining pending fixes, it
> seems we'll have 4.5 just after this -rc7 so I don't think we'll get
> there in time for this.
Hi,
I can't see this patch neither in nf nor in nf-next even if the other
one (netfilter: x_tables: check for size overflow) is in nf-next. Was it
omitted on purpose or is it a mistake?
Michal Kubecek
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
