www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 1 Apr 2016 12:17:28 +0000 (14:17 +0200)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 30 Sep 2016 06:05:39 +0000 (23:05 -0700)
commit	5ca4f85e2387fd97d8685637a3ab796bfcc2a36a
tree	59cc0c69bc70ef056bfc0a20fb8b59398244178c	tree
parent	433a8c5a4d42daec294b6a17a61ba663a6a525f5	commit \| diff

netfilter: x_tables: check for bogus target offset

Orabug: 24690280
CVE: CVE-2016-3134

[ Upstream commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c ]

We're currently asserting that targetoff + targetsize <= nextoff.

Extend it to also check that targetoff is >= sizeof(xt_entry).
Since this is generic code, add an argument pointing to the start of the
match/target, we can then derive the base structure size from the delta.

We also need the e->elems pointer in a followup change to validate matches.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 451e4403bc4abc51539376d4314baa739ab9e996)
Signed-off-by: Brian Maly <brian.maly@oracle.com>

include/linux/netfilter/x_tables.h		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history