89242d9584
[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]
In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.
In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:
if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
return -EINVAL;
Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ip6_tables.c | ||
| ip6t_NPT.c | ||
| ip6t_REJECT.c | ||
| ip6t_SYNPROXY.c | ||
| ip6t_ah.c | ||
| ip6t_eui64.c | ||
| ip6t_frag.c | ||
| ip6t_hbh.c | ||
| ip6t_ipv6header.c | ||
| ip6t_mh.c | ||
| ip6t_rpfilter.c | ||
| ip6t_rt.c | ||
| ip6t_srh.c | ||
| ip6table_filter.c | ||
| ip6table_mangle.c | ||
| ip6table_nat.c | ||
| ip6table_raw.c | ||
| ip6table_security.c | ||
| nf_conntrack_reasm.c | ||
| nf_defrag_ipv6_hooks.c | ||
| nf_dup_ipv6.c | ||
| nf_reject_ipv6.c | ||
| nf_socket_ipv6.c | ||
| nf_tproxy_ipv6.c | ||
| nft_dup_ipv6.c | ||
| nft_fib_ipv6.c | ||
| nft_reject_ipv6.c | ||