tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nf_tables: missing sanitization in data from userspace
Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
is still possible to handcraft a netlink message using this incorrect
data type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+24
-7
+14
-5
net/netfilter/nft_bitwise.c
+14
-5
net/netfilter/nft_bitwise.c
···
83
83
tb[NFTA_BITWISE_MASK]);
84
84
if (err < 0)
85
85
return err;
86
-
if (d1.len != priv->len)
87
-
return -EINVAL;
86
+
if (d1.len != priv->len) {
87
+
err = -EINVAL;
88
+
goto err1;
89
+
}
88
90
89
91
err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &d2,
90
92
tb[NFTA_BITWISE_XOR]);
91
93
if (err < 0)
92
-
return err;
93
-
if (d2.len != priv->len)
94
-
return -EINVAL;
94
+
goto err1;
95
+
if (d2.len != priv->len) {
96
+
err = -EINVAL;
97
+
goto err2;
98
+
}
95
99
96
100
return 0;
101
+
err2:
102
+
nft_data_uninit(&priv->xor, d2.type);
103
+
err1:
104
+
nft_data_uninit(&priv->mask, d1.type);
105
+
return err;
97
106
}
98
107
99
108
static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr)
+10
-2
net/netfilter/nft_cmp.c
+10
-2
net/netfilter/nft_cmp.c
···
201
201
if (err < 0)
202
202
return ERR_PTR(err);
203
203
204
+
if (desc.type != NFT_DATA_VALUE) {
205
+
err = -EINVAL;
206
+
goto err1;
207
+
}
208
+
204
209
if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ)
205
210
return &nft_cmp_fast_ops;
206
-
else
207
-
return &nft_cmp_ops;
211
+
212
+
return &nft_cmp_ops;
213
+
err1:
214
+
nft_data_uninit(&data, desc.type);
215
+
return ERR_PTR(-EINVAL);
208
216
}
209
217
210
218
struct nft_expr_type nft_cmp_type __read_mostly = {