Florian Westphal <fw@xxxxxxxxx> wrote:
> ebt_among is special, it has a dynamic match size and is exempt
> from the central size checks.
>
> commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
> added validation for pool size, but missed fact that the macros
> ebt_among_wh_src/dst can already return out-of-bound result because
> they do not check value of wh_src/dst_ofs (an offset) vs. the size
> of the match that userspace gave to us.
>
> NB: Fixes tag is intentionally wrong, this bug exists from day
> one when match was added for 2.6 kernel. Tag is there so stable
> maintainers will notice this one too.
>
> Tested with same rules from the earlier patch.
NAK, while test is enough to pacify this syzkaller reproduer Paolo
pointed out that we should add more checks, I will send a v2.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
