diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-05-15 06:17:29 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-05-15 06:51:40 -0400 |
| commit | 71df14b0ce094be46d105b5a3ededd83b8e779a0 (patch) | |
| tree | b0d32758237566a91e43001780641c7a6971d2dc | |
| parent | fa803605eef39372e53d7813002d73a3fcf10c88 (diff) | |
netfilter: nf_tables: missing sanitization in data from userspace
Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
is still possible to handcraft a netlink message using this incorrect
data type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/nft_bitwise.c | 19 | ||||
| -rw-r--r-- | net/netfilter/nft_cmp.c | 12 |
2 files changed, 24 insertions, 7 deletions
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c index 877d9acd91ef..96bd4f325b0f 100644 --- a/net/netfilter/nft_bitwise.c +++ b/net/netfilter/nft_bitwise.c | |||
| @@ -83,17 +83,26 @@ static int nft_bitwise_init(const struct nft_ctx *ctx, | |||
| 83 | tb[NFTA_BITWISE_MASK]); | 83 | tb[NFTA_BITWISE_MASK]); |
| 84 | if (err < 0) | 84 | if (err < 0) |
| 85 | return err; | 85 | return err; |
| 86 | if (d1.len != priv->len) | 86 | if (d1.len != priv->len) { |
| 87 | return -EINVAL; | 87 | err = -EINVAL; |
| 88 | goto err1; | ||
| 89 | } | ||
| 88 | 90 | ||
| 89 | err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &d2, | 91 | err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &d2, |
| 90 | tb[NFTA_BITWISE_XOR]); | 92 | tb[NFTA_BITWISE_XOR]); |
| 91 | if (err < 0) | 93 | if (err < 0) |
| 92 | return err; | 94 | goto err1; |
| 93 | if (d2.len != priv->len) | 95 | if (d2.len != priv->len) { |
| 94 | return -EINVAL; | 96 | err = -EINVAL; |
| 97 | goto err2; | ||
| 98 | } | ||
| 95 | 99 | ||
| 96 | return 0; | 100 | return 0; |
| 101 | err2: | ||
| 102 | nft_data_uninit(&priv->xor, d2.type); | ||
| 103 | err1: | ||
| 104 | nft_data_uninit(&priv->mask, d1.type); | ||
| 105 | return err; | ||
| 97 | } | 106 | } |
| 98 | 107 | ||
| 99 | static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr) | 108 | static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr) |
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c index 2b96effeadc1..8c9d0fb19118 100644 --- a/net/netfilter/nft_cmp.c +++ b/net/netfilter/nft_cmp.c | |||
| @@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) | |||
| 201 | if (err < 0) | 201 | if (err < 0) |
| 202 | return ERR_PTR(err); | 202 | return ERR_PTR(err); |
| 203 | 203 | ||
| 204 | if (desc.type != NFT_DATA_VALUE) { | ||
| 205 | err = -EINVAL; | ||
| 206 | goto err1; | ||
| 207 | } | ||
| 208 | |||
| 204 | if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ) | 209 | if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ) |
| 205 | return &nft_cmp_fast_ops; | 210 | return &nft_cmp_fast_ops; |
| 206 | else | 211 | |
| 207 | return &nft_cmp_ops; | 212 | return &nft_cmp_ops; |
| 213 | err1: | ||
| 214 | nft_data_uninit(&data, desc.type); | ||
| 215 | return ERR_PTR(-EINVAL); | ||
| 208 | } | 216 | } |
| 209 | 217 | ||
| 210 | struct nft_expr_type nft_cmp_type __read_mostly = { | 218 | struct nft_expr_type nft_cmp_type __read_mostly = { |