www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 1 Apr 2016 12:17:23 +0000 (14:17 +0200)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 30 Sep 2016 06:05:12 +0000 (23:05 -0700)
commit	33242b9f498aa75e2236a50b424e6d09851fc2f6
tree	056a76009bf40e8d85e33508f475f86f9be73e0d	tree
parent	c6f30cf06085ccc0a189a3c192b0a990c3f90ba3	commit \| diff

netfilter: x_tables: add and use xt_check_entry_offsets

Orabug: 24690280
CVE: CVE-2016-3134

[ Upstream commit 7d35812c3214afa5b37a675113555259cfd67b98 ]

Currently arp/ip and ip6tables each implement a short helper to check that
the target offset is large enough to hold one xt_entry_target struct and
that t->u.target_size fits within the current rule.

Unfortunately these checks are not sufficient.

To avoid adding new tests to all of ip/ip6/arptables move the current
checks into a helper, then extend this helper in followup patches.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit a471ac817cf0e0d6e87779ca1fee216ba849e613)
Signed-off-by: Brian Maly <brian.maly@oracle.com>

include/linux/netfilter/x_tables.h		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history