Hi! > From: Will McVicker <willmcvicker@xxxxxxxxxx> > > commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. > > The indexes to the nf_nat_l[34]protos arrays come from userspace. So > check the tuple's family, e.g. l3num, when creating the conntrack in > order to prevent an OOB memory access during setup. Here is an example > kernel panic on 4.14.180 when userspace passes in an index greater than > NFPROTO_NUMPROTO. Since this protects against OOB array access, should it use _nospec() variant to protect from speculation attacks? Best regards, Pavel > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlatt > if (!tb[CTA_TUPLE_IP]) > return -EINVAL; > > + if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) > + return -EOPNOTSUPP; > tuple->src.l3num = l3num; > > err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); > -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature