www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 22 Mar 2016 17:02:52 +0000 (18:02 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 30 Sep 2016 06:04:38 +0000 (23:04 -0700)
commit	3b98016892573b6f707ef2f29e747e17b50dca9e
tree	3a6a70b93f4066959d9465f57b35a439f0143665	tree
parent	1eb755025bb3579bea60d778c58d344ce4a7a5bd	commit \| diff

netfilter: x_tables: fix unconditional helper

Orabug: 24690280
CVE: CVE-2016-3134

[ Upstream commit 54d83fc74aa9ec72794373cb47432c5f7fb1a309 ]

Ben Hawkes says:

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.

Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.

However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.

However, an unconditional rule must also not be using any matches
(no -m args).

The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.

Unify this so that all the callers have same idea of 'unconditional rule'.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 850c377e0e2d76723884d610ff40827d26aa21eb)
Signed-off-by: Brian Maly <brian.maly@oracle.com>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history