Re: [PATCH nf v2] netfilter/osf: avoid OOB read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Wander Lairson Costa <wander@xxxxxxxxxx> wrote:
> >
> > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> > index 8f1bfa6ccc2d..13fedf2aaa0f 100644
> > --- a/net/netfilter/nfnetlink_osf.c
> > +++ b/net/netfilter/nfnetlink_osf.c
> > @@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> >
> >       f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> >
> > +     if (f->opt_num > ARRAY_SIZE(f->opt))
> > +             return -EINVAL;
> > +
>
> Hmm, this isn't enough; as far as I can see there is no validation
> whatsoever.
>

I didn't get it. It guarantees there is no OOB read of the opt array.

> This should also check that all of:
>
>  char    genre[MAXGENRELEN];
>  char    version[MAXGENRELEN];
>  char    subtype[MAXGENRELEN];
>
> ... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL
> for those.
>

I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN).

> Maybe there is more to be validated. I did not followup with all the
> nested structures buried in user_finger struct.
>

I focused on the reported issue mainly because I am unfamiliar with
the Netfilter layer. Let me take a deeper look.





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux