Commit d559dd79 authored by Al Viro's avatar Al Viro Committed by Adrian Bunk

[EBTABLES]: Fix wraparounds in ebt_entries verification.

We need to verify that
    a) we are not too close to the end of buffer to dereference
    b) next entry we'll be checking won't be _before_ our

While we are at it, don't subtract unrelated pointers...
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
parent b00b3fe3
...@@ -422,13 +422,17 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e, ...@@ -422,13 +422,17 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e,
struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt, struct ebt_entries **hook_entries, unsigned int *n, unsigned int *cnt,
unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks) unsigned int *totalcnt, unsigned int *udc_cnt, unsigned int valid_hooks)
{ {
unsigned int offset = (char *)e - newinfo->entries;
size_t left = (limit - base) - offset;
int i; int i;
if (left < sizeof(unsigned int))
goto Esmall;
for (i = 0; i < NF_BR_NUMHOOKS; i++) { for (i = 0; i < NF_BR_NUMHOOKS; i++) {
if ((valid_hooks & (1 << i)) == 0) if ((valid_hooks & (1 << i)) == 0)
continue; continue;
if ( (char *)hook_entries[i] - base == if ((char *)hook_entries[i] == base + offset)
(char *)e - newinfo->entries)
break; break;
} }
/* beginning of a new chain /* beginning of a new chain
...@@ -449,11 +453,8 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e, ...@@ -449,11 +453,8 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e,
return -EINVAL; return -EINVAL;
} }
/* before we look at the struct, be sure it is not too big */ /* before we look at the struct, be sure it is not too big */
if ((char *)hook_entries[i] + sizeof(struct ebt_entries) if (left < sizeof(struct ebt_entries))
> limit) { goto Esmall;
BUGPRINT("entries_size too small\n");
return -EINVAL;
}
if (((struct ebt_entries *)e)->policy != EBT_DROP && if (((struct ebt_entries *)e)->policy != EBT_DROP &&
((struct ebt_entries *)e)->policy != EBT_ACCEPT) { ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
/* only RETURN from udc */ /* only RETURN from udc */
...@@ -476,6 +477,8 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e, ...@@ -476,6 +477,8 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e,
return 0; return 0;
} }
/* a plain old entry, heh */ /* a plain old entry, heh */
if (left < sizeof(struct ebt_entry))
goto Esmall;
if (sizeof(struct ebt_entry) > e->watchers_offset || if (sizeof(struct ebt_entry) > e->watchers_offset ||
e->watchers_offset > e->target_offset || e->watchers_offset > e->target_offset ||
e->target_offset >= e->next_offset) { e->target_offset >= e->next_offset) {
...@@ -487,10 +490,16 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e, ...@@ -487,10 +490,16 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e,
BUGPRINT("target size too small\n"); BUGPRINT("target size too small\n");
return -EINVAL; return -EINVAL;
} }
if (left < e->next_offset)
goto Esmall;
(*cnt)++; (*cnt)++;
(*totalcnt)++; (*totalcnt)++;
return 0; return 0;
Esmall:
BUGPRINT("entries_size too small\n");
return -EINVAL;
} }
struct ebt_cl_stack struct ebt_cl_stack
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment