diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-05-01 23:12:22 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-01 23:48:32 -0400 |
| commit | 46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a (patch) | |
| tree | 4ab2c54a0b0d9621ed42c032cc67d93638c8681c /net | |
| parent | 9817d207dc13e3a9fc0287bbd36bdfa3cffe5ed4 (diff) | |
[NETFILTER] x_tables: fix compat related crash on non-x86
When iptables userspace adds an ipt_standard_target, it calculates the size
of the entire entry as:
sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target))
ipt_standard_target looks like this:
struct xt_standard_target
{
struct xt_entry_target target;
int verdict;
};
xt_entry_target contains a pointer, so when compiled for 64 bit the
structure gets an extra 4 byte of padding at the end. On 32 bit
architectures where iptables aligns to 8 byte it will also have 4
byte padding at the end because it is only 36 bytes large.
The compat_ipt_standard_fn in the kernel adjusts the offsets by
sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target),
which will always result in 4, even if the structure from userspace
was already padded to a multiple of 8. On x86 this works out by
accident because userspace only aligns to 4, on all other
architectures this is broken and causes incorrect adjustments to
the size and following offsets.
Thanks to Linus for lots of debugging help and testing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index d25ac8ba6eba..6d1c11563943 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -956,15 +956,16 @@ struct compat_ipt_standard_target | |||
| 956 | compat_int_t verdict; | 956 | compat_int_t verdict; |
| 957 | }; | 957 | }; |
| 958 | 958 | ||
| 959 | #define IPT_ST_OFFSET (sizeof(struct ipt_standard_target) - \ | ||
| 960 | sizeof(struct compat_ipt_standard_target)) | ||
| 961 | |||
| 962 | struct compat_ipt_standard | 959 | struct compat_ipt_standard |
| 963 | { | 960 | { |
| 964 | struct compat_ipt_entry entry; | 961 | struct compat_ipt_entry entry; |
| 965 | struct compat_ipt_standard_target target; | 962 | struct compat_ipt_standard_target target; |
| 966 | }; | 963 | }; |
| 967 | 964 | ||
| 965 | #define IPT_ST_LEN XT_ALIGN(sizeof(struct ipt_standard_target)) | ||
| 966 | #define IPT_ST_COMPAT_LEN COMPAT_XT_ALIGN(sizeof(struct compat_ipt_standard_target)) | ||
| 967 | #define IPT_ST_OFFSET (IPT_ST_LEN - IPT_ST_COMPAT_LEN) | ||
| 968 | |||
| 968 | static int compat_ipt_standard_fn(void *target, | 969 | static int compat_ipt_standard_fn(void *target, |
| 969 | void **dstptr, int *size, int convert) | 970 | void **dstptr, int *size, int convert) |
| 970 | { | 971 | { |
| @@ -975,35 +976,29 @@ static int compat_ipt_standard_fn(void *target, | |||
| 975 | ret = 0; | 976 | ret = 0; |
| 976 | switch (convert) { | 977 | switch (convert) { |
| 977 | case COMPAT_TO_USER: | 978 | case COMPAT_TO_USER: |
| 978 | pst = (struct ipt_standard_target *)target; | 979 | pst = target; |
| 979 | memcpy(&compat_st.target, &pst->target, | 980 | memcpy(&compat_st.target, &pst->target, |
| 980 | sizeof(struct ipt_entry_target)); | 981 | sizeof(compat_st.target)); |
| 981 | compat_st.verdict = pst->verdict; | 982 | compat_st.verdict = pst->verdict; |
| 982 | if (compat_st.verdict > 0) | 983 | if (compat_st.verdict > 0) |
| 983 | compat_st.verdict -= | 984 | compat_st.verdict -= |
| 984 | compat_calc_jump(compat_st.verdict); | 985 | compat_calc_jump(compat_st.verdict); |
| 985 | compat_st.target.u.user.target_size = | 986 | compat_st.target.u.user.target_size = IPT_ST_COMPAT_LEN; |
| 986 | sizeof(struct compat_ipt_standard_target); | 987 | if (copy_to_user(*dstptr, &compat_st, IPT_ST_COMPAT_LEN)) |
| 987 | if (__copy_to_user(*dstptr, &compat_st, | ||
| 988 | sizeof(struct compat_ipt_standard_target))) | ||
| 989 | ret = -EFAULT; | 988 | ret = -EFAULT; |
| 990 | *size -= IPT_ST_OFFSET; | 989 | *size -= IPT_ST_OFFSET; |
| 991 | *dstptr += sizeof(struct compat_ipt_standard_target); | 990 | *dstptr += IPT_ST_COMPAT_LEN; |
| 992 | break; | 991 | break; |
| 993 | case COMPAT_FROM_USER: | 992 | case COMPAT_FROM_USER: |
| 994 | pcompat_st = | 993 | pcompat_st = target; |
| 995 | (struct compat_ipt_standard_target *)target; | 994 | memcpy(&st.target, &pcompat_st->target, IPT_ST_COMPAT_LEN); |
| 996 | memcpy(&st.target, &pcompat_st->target, | ||
| 997 | sizeof(struct ipt_entry_target)); | ||
| 998 | st.verdict = pcompat_st->verdict; | 995 | st.verdict = pcompat_st->verdict; |
| 999 | if (st.verdict > 0) | 996 | if (st.verdict > 0) |
| 1000 | st.verdict += compat_calc_jump(st.verdict); | 997 | st.verdict += compat_calc_jump(st.verdict); |
| 1001 | st.target.u.user.target_size = | 998 | st.target.u.user.target_size = IPT_ST_LEN; |
| 1002 | sizeof(struct ipt_standard_target); | 999 | memcpy(*dstptr, &st, IPT_ST_LEN); |
| 1003 | memcpy(*dstptr, &st, | ||
| 1004 | sizeof(struct ipt_standard_target)); | ||
| 1005 | *size += IPT_ST_OFFSET; | 1000 | *size += IPT_ST_OFFSET; |
| 1006 | *dstptr += sizeof(struct ipt_standard_target); | 1001 | *dstptr += IPT_ST_LEN; |
| 1007 | break; | 1002 | break; |
| 1008 | case COMPAT_CALC_SIZE: | 1003 | case COMPAT_CALC_SIZE: |
| 1009 | *size += IPT_ST_OFFSET; | 1004 | *size += IPT_ST_OFFSET; |