Skip to content

Commit c4585a2

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: bridge: ebt_among: add missing match size checks
ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent b078556 commit c4585a2

File tree

1 file changed

+19
-2
lines changed

1 file changed

+19
-2
lines changed

net/bridge/netfilter/ebt_among.c

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
172172
return true;
173173
}
174174

175+
static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
176+
{
177+
return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
178+
}
179+
175180
static int ebt_among_mt_check(const struct xt_mtchk_param *par)
176181
{
177182
const struct ebt_among_info *info = par->matchinfo;
178183
const struct ebt_entry_match *em =
179184
container_of(par->matchinfo, const struct ebt_entry_match, data);
180-
int expected_length = sizeof(struct ebt_among_info);
185+
unsigned int expected_length = sizeof(struct ebt_among_info);
181186
const struct ebt_mac_wormhash *wh_dst, *wh_src;
182187
int err;
183188

189+
if (expected_length > em->match_size)
190+
return -EINVAL;
191+
184192
wh_dst = ebt_among_wh_dst(info);
185-
wh_src = ebt_among_wh_src(info);
193+
if (poolsize_invalid(wh_dst))
194+
return -EINVAL;
195+
186196
expected_length += ebt_mac_wormhash_size(wh_dst);
197+
if (expected_length > em->match_size)
198+
return -EINVAL;
199+
200+
wh_src = ebt_among_wh_src(info);
201+
if (poolsize_invalid(wh_src))
202+
return -EINVAL;
203+
187204
expected_length += ebt_mac_wormhash_size(wh_src);
188205

189206
if (em->match_size != EBT_ALIGN(expected_length)) {

0 commit comments

Comments
 (0)