On Tue, Feb 27, 2018 at 07:42:26PM +0100, Florian Westphal wrote: > syzkaller managed to trigger various interesting features, such > as ability to create rulesets that can't be shown with iptables(8). > > These patches add more checks/restrictions to the x_tables validation > of the blob coming in from userspace. > > In particular: > 1. check error target name is null-terminated > 2. cap allocations to reduce OOM invocations > 3. enforce unique hook entry points > 4. enforce last rule of base chain contains policy > > I tested this with a few ruleset dumps that I had available and > also checked that 32bit iptables binary works, but, given these > patches don't fix a known issue with the kernel itself I am targetting > nf-next tree to give more soak time. Applied to nf-next, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
