mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-14 16:23:51 +08:00
netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
This commit is contained in:
parent
45040978c8
commit
d8aacd8718
@ -267,6 +267,8 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
|
|||||||
|
|
||||||
e.id = ip_to_id(map, ip);
|
e.id = ip_to_id(map, ip);
|
||||||
if (tb[IPSET_ATTR_ETHER]) {
|
if (tb[IPSET_ATTR_ETHER]) {
|
||||||
|
if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
|
||||||
|
return -IPSET_ERR_PROTOCOL;
|
||||||
memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
|
memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
|
||||||
e.add_mac = 1;
|
e.add_mac = 1;
|
||||||
}
|
}
|
||||||
|
@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[],
|
|||||||
if (tb[IPSET_ATTR_LINENO])
|
if (tb[IPSET_ATTR_LINENO])
|
||||||
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
|
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
|
||||||
|
|
||||||
if (unlikely(!tb[IPSET_ATTR_ETHER]))
|
if (unlikely(!tb[IPSET_ATTR_ETHER] ||
|
||||||
|
nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN))
|
||||||
return -IPSET_ERR_PROTOCOL;
|
return -IPSET_ERR_PROTOCOL;
|
||||||
|
|
||||||
ret = ip_set_get_extensions(set, tb, &ext);
|
ret = ip_set_get_extensions(set, tb, &ext);
|
||||||
|
Loading…
Reference in New Issue
Block a user