[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables

There is a number of issues in parsing user-provided table in
translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
passing special-crafted table to the *_tables.

The first issue is that mark_source_chains() function is called before entry
content checks. In case of standard target, mark_source_chains() function
uses t->verdict field in order to determine new position. But the check, that
this field leads no further, than the table end, is in check_entry(), which
is called later, than mark_source_chains().

The second issue, that there is no check that target_offset points inside
entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
ends. As a result, we'll have oops or memory disclosure.

And the third issue, that there is no check that the target is completely
inside entry. Results are the same, as in previous issue.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 16 insertions, 8 deletions

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 53bf977cca63..167c2ea88f6b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -586,12 +586,19 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
                 return -EINVAL;
         }
 
+        if (e->target_offset + sizeof(struct ip6t_entry_target) >
+                                                                e->next_offset)
+                return -EINVAL;
+
         j = 0;
         ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
         if (ret != 0)
                 goto cleanup_matches;
 
         t = ip6t_get_target(e);
+        ret = -EINVAL;
+        if (e->target_offset + t->u.target_size > e->next_offset)
+                        goto cleanup_matches;
         target = try_then_request_module(xt_find_target(AF_INET6,
                                                         t->u.user.name,
                                                         t->u.user.revision),
@@ -751,19 +758,17 @@ translate_table(const char *name,
                 }
         }
 
-        if (!mark_source_chains(newinfo, valid_hooks, entry0))
-                return -ELOOP;
-
         /* Finally, each sanity check must pass */
         i = 0;
         ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
                                 check_entry, name, size, &i);
 
-        if (ret != 0) {
-                IP6T_ENTRY_ITERATE(entry0, newinfo->size,
-                                  cleanup_entry, &i);
-                return ret;
-        }
+        if (ret != 0)
+                goto cleanup;
+
+        ret = -ELOOP;
+        if (!mark_source_chains(newinfo, valid_hooks, entry0))
+                goto cleanup;
 
         /* And one copy for every other CPU */
         for_each_possible_cpu(i) {
@@ -771,6 +776,9 @@ translate_table(const char *name,
                         memcpy(newinfo->entries[i], entry0, newinfo->size);
         }
 
+        return 0;
+cleanup:
+        IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
         return ret;
 }