Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit edd5e3cd authored by Florian Westphal's avatar Florian Westphal Committed by minz1
Browse files

netfilter: x_tables: don't move to non-existent next rule 



commit f24e230d257af1ad7476c6e81a8dc3127a74204e upstream.

Ben Hawkes says:

 In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
 is possible for a user-supplied ipt_entry structure to have a large
 next_offset field. This field is not bounds checked prior to writing a
 counter value at the supplied offset.

Base chains enforce absolute verdict.

User defined chains are supposed to end with an unconditional return,
xtables userspace adds them automatically.

But if such return is missing we will move to non-existent next rule.

CVE-2016-3134

Change-Id: I4823c0459c072ab4939ab1ccab1588c4dcf03f93
Reported-by: default avatarBen Hawkes <hawkes@google.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarChas Williams <3chas3@gmail.com>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 1b101cfa
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment