Commit fd94d9da authored by Florian Westphal's avatar Florian Westphal

netfilter: nftables: exthdr: fix 4-byte stack OOB write

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f64 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203 ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
parent 1a961e74
...@@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) ...@@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
return opt[offset + 1]; return opt[offset + 1];
} }
static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
{
if (len % NFT_REG32_SIZE)
dest[len / NFT_REG32_SIZE] = 0;
return skb_copy_bits(skb, offset, dest, len);
}
static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
struct nft_regs *regs, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
...@@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, ...@@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
} }
offset += priv->offset; offset += priv->offset;
dest[priv->len / NFT_REG32_SIZE] = 0; if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
goto err; goto err;
return; return;
err: err:
...@@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, ...@@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
} }
offset += priv->offset; offset += priv->offset;
dest[priv->len / NFT_REG32_SIZE] = 0; if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
goto err; goto err;
return; return;
err: err:
...@@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, ...@@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
if (priv->flags & NFT_EXTHDR_F_PRESENT) { if (priv->flags & NFT_EXTHDR_F_PRESENT) {
*dest = 1; *dest = 1;
} else { } else {
dest[priv->len / NFT_REG32_SIZE] = 0; if (priv->len % NFT_REG32_SIZE)
dest[priv->len / NFT_REG32_SIZE] = 0;
memcpy(dest, opt + offset, priv->len); memcpy(dest, opt + offset, priv->len);
} }
...@@ -388,9 +395,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, ...@@ -388,9 +395,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
offset + ntohs(sch->length) > pkt->skb->len) offset + ntohs(sch->length) > pkt->skb->len)
break; break;
dest[priv->len / NFT_REG32_SIZE] = 0; if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
if (skb_copy_bits(pkt->skb, offset + priv->offset, dest, priv->len) < 0)
dest, priv->len) < 0)
break; break;
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment