Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
> >Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
> >Reported-by: <syzbot+bdabab6f1983a03fc009@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> >---
> > net/bridge/netfilter/ebt_among.c | 35 +++++++++++++++++++++++++++++++++++
> > 1 file changed, 35 insertions(+)
> >
> >diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
> >index c5afb4232ecb..600ac7f6671a 100644
> >--- a/net/bridge/netfilter/ebt_among.c
> >+++ b/net/bridge/netfilter/ebt_among.c
> >@@ -177,6 +177,29 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
> > return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
> > }
> >+static bool wormhash_offset_invalid(int off, unsigned int len)
> >+{
> >+ int minsize = sizeof(struct ebt_among_info);
> >+
> >+ if (off == 0) /* not present */
> >+ return false;
> >+
> >+ if (off < minsize || off % __alignof__(struct ebt_mac_wormhash))
> >+ return true;
> >+
> >+ off += sizeof(struct ebt_mac_wormhash);
>
> Can this overflow ?
Yes, off can wrap.
> >+ return off > len;
len is unsigned though so the unsigned promotion
would still catch this.
If you think this is too fragile let me know and I can submit a v4 with
a more explicit test (e.g. adding back "unsigned int alleged_off = off",
and testing vs. INT_MAX.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
