Florian Westphal <fw@xxxxxxxxx> wrote: > Ben Hawkes says: > > In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it > is possible for a user-supplied ipt_entry structure to have a large > next_offset field. This field is not bounds checked prior to writing a > counter value at the supplied offset. > > Problem is that xt_entry_foreach() macro stops iterating once > e->next_offset is out of bounds, assuming this is the last entry that > will be used. > > However, if the blob is malformed its possible that mark_source_chains > function attempts to move past the last entry iff this last entry > doesn't have a verdict/jump (i.e. evaluation continues with next rule). Problem is that the underflow check thinks the last rule is terminal but mark_source_chains sees that its in fact a conditional rule. So we should fix the underflow detection instead to catch this, I'll send a different patch tomorrow. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
