OpenCloudOS-Kernel/net/bridge
Florian Westphal c8d70a700a netfilter: bridge: ebt_among: add more missing match size checks
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823 ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823 ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-03-11 21:24:49 +01:00
..
netfilter netfilter: bridge: ebt_among: add more missing match size checks 2018-03-11 21:24:49 +01:00
Kconfig bridge: Add vlan filtering infrastructure 2013-02-13 19:41:46 -05:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
br.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_arp_nd_proxy.c bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports 2017-10-08 21:12:04 -07:00
br_device.c net: bridge: use rhashtable for fdbs 2017-12-13 15:10:01 -05:00
br_fdb.c net: bridge: Fix uninitialized error in br_fdb_sync_static() 2018-02-01 09:47:37 -05:00
br_forward.c bridge: add new BR_NEIGH_SUPPRESS port flag to suppress arp and nd flood 2017-10-08 21:12:04 -07:00
br_if.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_input.c net: bridge: Rename mglist to host_joined 2017-11-10 13:41:40 +09:00
br_ioctl.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_mdb.c net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
br_multicast.c net: bridge: Send notification when host join/leaves a group 2017-11-10 13:41:40 +09:00
br_netfilter_hooks.c netfilter: increase IPSTATS_MIB_CSUMERRORS stat 2018-02-25 20:14:18 +01:00
br_netfilter_ipv6.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
br_netlink.c net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2017-12-18 13:29:01 -05:00
br_netlink_tunnel.c bridge: netlink: make setlink/dellink notifications more accurate 2017-10-29 11:03:43 +09:00
br_nf_core.c xfrm: Move dst->path into struct xfrm_dst 2017-11-30 09:54:26 -05:00
br_private.h bridge: return boolean instead of integer in br_multicast_is_router 2018-01-22 16:13:20 -05:00
br_private_stp.h net: bridge: add helper to set topology change 2016-12-10 21:27:23 -05:00
br_private_tunnel.h bridge: netlink: make setlink/dellink notifications more accurate 2017-10-29 11:03:43 +09:00
br_stp.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_stp_bpdu.c net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
br_stp_if.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_stp_timer.c net: bridge: Convert timers to use timer_setup() 2017-11-03 15:42:49 +09:00
br_switchdev.c net: bridge: use rhashtable for fdbs 2017-12-13 15:10:01 -05:00
br_sysfs_br.c bridge: Use helpers to handle MAC address 2017-12-20 12:46:11 -05:00
br_sysfs_if.c bridge: check brport attr show in brport_show 2018-02-12 11:17:28 -05:00
br_vlan.c bridge: Fix VLAN reference count problem 2018-02-26 15:15:53 -05:00
br_vlan_tunnel.c bridge: vlan_tunnel: explicitly reset metadata attrs to NULL on failure 2017-02-17 13:33:41 -05:00