Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e365ade3 authored by Florian Westphal's avatar Florian Westphal Committed by Gerrit - the friendly Code Review server
Browse files

netfilter: x_tables: kill check_entry helper 



[ Upstream commit aa412ba225dd3bc36d404c28cdc3d674850d80d0 ]

Once we add more sanity testing to xt_check_entry_offsets it
becomes relvant if we're expecting a 32bit 'config_compat' blob
or a normal one.

Since we already have a lot of similar-named functions (check_entry,
compat_check_entry, find_and_check_entry, etc.) and the current
incarnation is short just fold its contents into the callers.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Git-commit: aa412ba225dd3bc36d404c28cdc3d674850d80d0
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: default avatarChinmay Agarwal <chinagar@codeaurora.org>

netfilter: x_tables: check for bogus target offset

[ Upstream commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c ]

We're currently asserting that targetoff + targetsize <= nextoff.

Extend it to also check that targetoff is >= sizeof(xt_entry).
Since this is generic code, add an argument pointing to the start of the
match/target, we can then derive the base structure size from the delta.

We also need the e->elems pointer in a followup change to validate matches.

Change-Id: Ia0c032eb690e2c33720309900b8edc1936ec3244
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: default avatarChinmay Agarwal <chinagar@codeaurora.org>
parent 14007618

net/ipv4/netfilter/arp_tables.c

+10 −20
Original line number Diff line number Diff line
@@ -480,23 +480,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, 
	return 1;

}



static inline int check_entry(const struct arpt_entry *e)

{

	const struct xt_entry_target *t;



	if (!arp_checkentry(&e->arp))

		return -EINVAL;



	if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)

		return -EINVAL;



	t = arpt_get_target_c(e);

	if (e->target_offset + t->u.target_size > e->next_offset)

		return -EINVAL;



	return 0;

}



static inline int check_target(struct arpt_entry *e, const char *name)

{

	struct xt_entry_target *t = arpt_get_target(e);
@@ -586,7 +569,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, 
		return -EINVAL;

	}



	err = check_entry(e);

	if (!arp_checkentry(&e->arp))

		return -EINVAL;



	err = xt_check_entry_offsets(e, e->elems, e->target_offset,

				     e->next_offset);

	if (err)

		return err;
@@ -1228,8 +1215,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, 
		return -EINVAL;

	}



	/* For purposes of check_entry casting the compat entry is fine */

	ret = check_entry((struct arpt_entry *)e);

	if (!arp_checkentry(&e->arp))

		return -EINVAL;



	ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,

					    e->next_offset);

	if (ret)

		return ret;

net/ipv4/netfilter/ip_tables.c

+10 −22
Original line number Diff line number Diff line
@@ -573,25 +573,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) 
	module_put(par.match->me);

}



static int

check_entry(const struct ipt_entry *e)

{

	const struct xt_entry_target *t;



	if (!ip_checkentry(&e->ip))

		return -EINVAL;



	if (e->target_offset + sizeof(struct xt_entry_target) >

	    e->next_offset)

		return -EINVAL;



	t = ipt_get_target_c(e);

	if (e->target_offset + t->u.target_size > e->next_offset)

		return -EINVAL;



	return 0;

}



static int

check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)

{
@@ -749,7 +730,11 @@ check_entry_size_and_hooks(struct ipt_entry *e, 
		return -EINVAL;

	}



	err = check_entry(e);

	if (!ip_checkentry(&e->ip))

		return -EINVAL;



	err = xt_check_entry_offsets(e, e->elems, e->target_offset,

				     e->next_offset);

	if (err)

		return err;
@@ -1484,8 +1469,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, 
		return -EINVAL;

	}



	/* For purposes of check_entry casting the compat entry is fine */

	ret = check_entry((struct ipt_entry *)e);

	if (!ip_checkentry(&e->ip))

		return -EINVAL;



	ret = xt_compat_check_entry_offsets(e, e->elems,

					    e->target_offset, e->next_offset);

	if (ret)

		return ret;

net/ipv6/netfilter/ip6_tables.c

+10 −22
Original line number Diff line number Diff line
@@ -583,25 +583,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) 
	module_put(par.match->me);

}



static int

check_entry(const struct ip6t_entry *e)

{

	const struct xt_entry_target *t;



	if (!ip6_checkentry(&e->ipv6))

		return -EINVAL;



	if (e->target_offset + sizeof(struct xt_entry_target) >

	    e->next_offset)

		return -EINVAL;



	t = ip6t_get_target_c(e);

	if (e->target_offset + t->u.target_size > e->next_offset)

		return -EINVAL;



	return 0;

}



static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)

{

	const struct ip6t_ip6 *ipv6 = par->entryinfo;
@@ -760,7 +741,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e, 
		return -EINVAL;

	}



	err = check_entry(e);

	if (!ip6_checkentry(&e->ipv6))

		return -EINVAL;



	err = xt_check_entry_offsets(e, e->elems, e->target_offset,

				     e->next_offset);

	if (err)

		return err;
@@ -1495,8 +1480,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, 
		return -EINVAL;

	}



	/* For purposes of check_entry casting the compat entry is fine */

	ret = check_entry((struct ip6t_entry *)e);

	if (!ip6_checkentry(&e->ipv6))

		return -EINVAL;



	ret = xt_compat_check_entry_offsets(e, e->elems,

					    e->target_offset, e->next_offset);

	if (ret)

		return ret;

net/netfilter/x_tables.c

+3 −0
Original line number Diff line number Diff line
@@ -681,6 +681,9 @@ EXPORT_SYMBOL(xt_compat_check_entry_offsets); 
 *

 * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.

 *

 * This function does not validate the targets or matches themselves, it

 * only tests that all the offsets and sizes are correct.

 *

 * The arp/ip/ip6t_entry structure @base must have passed following tests:

 * - it must point to a valid memory location

 * - base to base + next_offset must be accessible, i.e. not exceed allocated