netfilter: xt_sctp: validate the flag_info count

walac · ummakynes · commit e99476497687 · 2023-08-30T17:34:01.000+02:00
sctp_mt_check doesn't validate the flag_count field. An attacker can take advantage of that to trigger a OOB read and leak memory information. Add the field validation in the checkentry function. Fixes: 2e4e6a1 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Cc: stable@vger.kernel.org Reported-by: Lucas Leong <wmliang@infosec.exchange> Signed-off-by: Wander Lairson Costa <wander@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
@@ -149,6 +149,8 @@ static int sctp_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_sctp_info *info = par->matchinfo;
 
+	if (info->flag_count > ARRAY_SIZE(info->flag_info))
+		return -EINVAL;
 	if (info->flags & ~XT_SCTP_VALID_FLAGS)
 		return -EINVAL;
 	if (info->invflags & ~XT_SCTP_VALID_FLAGS)

Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,8 @@ static int sctp_mt_check(const struct xt_mtchk_param *par)`
`149`	`149`	`{`
`150`	`150`	`const struct xt_sctp_info *info = par->matchinfo;`
`151`	`151`
	`152`	`+ if (info->flag_count > ARRAY_SIZE(info->flag_info))`
	`153`	`+ return -EINVAL;`
`152`	`154`	`if (info->flags & ~XT_SCTP_VALID_FLAGS)`
`153`	`155`	`return -EINVAL;`
`154`	`156`	`if (info->invflags & ~XT_SCTP_VALID_FLAGS)`