R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
590bdf7fd2
android_kernel_xiaomi_sm7250/net/ipv4
History
Dmitry Mishin 590bdf7fd2 [NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables 
There is a number of issues in parsing user-provided table in
translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
passing special-crafted table to the *_tables.

The first issue is that mark_source_chains() function is called before entry
content checks. In case of standard target, mark_source_chains() function
uses t->verdict field in order to determine new position. But the check, that
this field leads no further, than the table end, is in check_entry(), which
is called later, than mark_source_chains().

The second issue, that there is no check that target_offset points inside
entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
ends. As a result, we'll have oops or memory disclosure.

And the third issue, that there is no check that the target is completely
inside entry. Results are the same, as in previous issue.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-30 15:24:44 -08:00
..
ipvs [PATCH] ptrdiff_t is %t, not %z 2006-10-10 15:37:23 -07:00
netfilter [NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables 2006-10-30 15:24:44 -08:00
af_inet.c
ah4.c
arp.c fix file specification in comments 2006-10-03 23:01:26 +02:00
cipso_ipv4.c NetLabel: the CIPSOv4 passthrough mapping does not pass categories correctly 2006-10-15 23:14:16 -07:00
datagram.c
devinet.c
esp4.c [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
fib_frontend.c [IPv4] fib: Remove unused fib_config members 2006-10-18 20:26:36 -07:00
fib_hash.c
fib_lookup.h
fib_rules.c
fib_semantics.c
fib_trie.c
icmp.c
igmp.c
inet_connection_sock.c
inet_diag.c
inet_hashtables.c
inet_timewait_sock.c
inetpeer.c [NET]: reduce sizeof(struct inet_peer), cleanup, change in peer_check_expire() 2006-10-15 23:14:17 -07:00
ip_forward.c
ip_fragment.c
ip_gre.c [NET]: Use hton{l,s}() for non-initializers. 2006-10-11 23:59:56 -07:00
ip_input.c
ip_options.c
ip_output.c
ip_sockglue.c
ipcomp.c [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
ipconfig.c [IPV4] ipconfig: fix RARP ic_servaddr breakage 2006-10-24 15:18:36 -07:00
ipip.c
ipmr.c
Kconfig [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
Makefile [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
multipath_drr.c
multipath_random.c
multipath_rr.c
multipath_wrandom.c
multipath.c
netfilter.c [NETFILTER]: add type parameter to ip_route_me_harder 2006-10-04 00:30:54 -07:00
proc.c
protocol.c
raw.c [NET]: fix uaccess handling 2006-10-30 15:24:41 -08:00
route.c [NET]: Do not memcmp() over pad bytes of struct flowi. 2006-10-12 00:49:15 -07:00
syncookies.c
sysctl_net_ipv4.c
tcp_bic.c
tcp_cong.c
tcp_cubic.c [TCP] cubic: scaling error 2006-10-25 23:04:12 -07:00
tcp_diag.c
tcp_highspeed.c
tcp_htcp.c [TCP] H-TCP: fix integer overflow 2006-10-25 23:05:52 -07:00
tcp_hybla.c
tcp_input.c [TCP]: Kill warning in tcp_clean_rtx_queue(). 2006-10-04 00:31:08 -07:00
tcp_ipv4.c [TCP]: One NET_INC_STATS() could be NET_INC_STATS_BH in tcp_v4_err() 2006-10-20 00:22:25 -07:00
tcp_lp.c
tcp_minisocks.c
tcp_output.c [TCP]: Bound TSO defer time 2006-10-18 20:36:48 -07:00
tcp_probe.c [PATCH] Kprobes: Make kprobe modules more portable 2006-10-02 07:57:16 -07:00
tcp_scalable.c
tcp_timer.c
tcp_vegas.c
tcp_veno.c
tcp_westwood.c
tcp.c
tunnel4.c
udp.c [UDP]: Fix MSG_PROBE crash 2006-10-04 00:31:00 -07:00
xfrm4_input.c
xfrm4_mode_beet.c [XFRM]: BEET mode 2006-10-04 00:31:09 -07:00
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
xfrm4_output.c
xfrm4_policy.c IPsec: correct semantics for SELinux policy matching 2006-10-11 23:59:37 -07:00
xfrm4_state.c
xfrm4_tunnel.c