Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d8aacd87 authored Mar 08, 2016 by Jozsef Kadlecsik

netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length



Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buffer.

The patch adds the explicit length checkings.

Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

parent 45040978

net/netfilter/ipset/ip_set_bitmap_ipmac.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -267,6 +267,8 @@ bitmap_ipmac_uadt(struct ip_set set, struct nlattr tb[],

		e.id = ip_to_id(map, ip);
		if (tb[IPSET_ATTR_ETHER]) {
		if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
		return -IPSET_ERR_PROTOCOL;
		memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
		e.add_mac = 1;
		}

net/netfilter/ipset/ip_set_hash_mac.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set set, struct nlattr tb[],
		if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

		if (unlikely(!tb[IPSET_ATTR_ETHER]))
		if (unlikely(!tb[IPSET_ATTR_ETHER] \|\|
		nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN))
		return -IPSET_ERR_PROTOCOL;

		ret = ip_set_get_extensions(set, tb, &ext);