This is a note to let you know that I've just added the patch titled
netfilter: nf_tables: out-of-bound check in chain blob
to the 6.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nf_tables-out-of-bound-check-in-chain-blob.patch
and it can be found in the queue-6.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 0b55db3357d614e78404be8607e16c9c43bd0091
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Tue Jun 6 16:32:44 2023 +0200
netfilter: nf_tables: out-of-bound check in chain blob
[ Upstream commit 08e42a0d3ad30f276f9597b591f975971a1b0fcf ]
Add current size of rule expressions to the boundary check.
Fixes: 2c865a8a28a1 ("netfilter: nf_tables: add rule blob layout")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8c74bb1ca78a0..368aeabd8f8f1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8921,7 +8921,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
continue;
}
- if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
+ if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
return -ENOMEM;
memcpy(data + size, expr, expr->ops->size);
