590bdf7fd2
There is a number of issues in parsing user-provided table in translate_table(). Malicious user with CAP_NET_ADMIN may crash system by passing special-crafted table to the *_tables. The first issue is that mark_source_chains() function is called before entry content checks. In case of standard target, mark_source_chains() function uses t->verdict field in order to determine new position. But the check, that this field leads no further, than the table end, is in check_entry(), which is called later, than mark_source_chains(). The second issue, that there is no check that target_offset points inside entry. If so, *_ITERATE_MATCH macro will follow further, than the entry ends. As a result, we'll have oops or memory disclosure. And the third issue, that there is no check that the target is completely inside entry. Results are the same, as in previous issue. Signed-off-by: Dmitry Mishin <dim@openvz.org> Acked-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
802 | ||
8021q | ||
appletalk | ||
atm | ||
ax25 | ||
bluetooth | ||
bridge | ||
core | ||
dccp | ||
decnet | ||
econet | ||
ethernet | ||
ieee80211 | ||
ipv4 | ||
ipv6 | ||
ipx | ||
irda | ||
key | ||
lapb | ||
llc | ||
netfilter | ||
netlabel | ||
netlink | ||
netrom | ||
packet | ||
rose | ||
rxrpc | ||
sched | ||
sctp | ||
sunrpc | ||
tipc | ||
unix | ||
wanrouter | ||
x25 | ||
xfrm | ||
compat.c | ||
Kconfig | ||
Makefile | ||
nonet.c | ||
socket.c | ||
sysctl_net.c | ||
TUNABLE |