Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-19 10:31:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
fa803605ee
linux/net/bridge
History
Willem de Bruijn 324318f024 netfilter: xtables: zero padding in data_to_user 
When looking up an iptables rule, the iptables binary compares the
aligned match and target data (XT_ALIGN). In some cases this can
exceed the actual data size to include padding bytes.

Before commit f77bc5b23f ("iptables: use match, target and data
copy_to_user helpers") the malloc()ed bytes were overwritten by the
kernel with kzalloced contents, zeroing the padding and making the
comparison succeed. After this patch, the kernel copies and clears
only data, leaving the padding bytes undefined.

Extend the clear operation from data size to aligned data size to
include the padding bytes, if any.

Padding bytes can be observed in both match and target, and the bug
triggered, by issuing a rule with match icmp and target ACCEPT:

  iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
  iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT

Fixes: f77bc5b23f ("iptables: use match, target and data copy_to_user helpers")
Reported-by: Paul Moore <pmoore@redhat.com>
Reported-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-05-15 12:51:38 +02:00
..
netfilter netfilter: xtables: zero padding in data_to_user 2017-05-15 12:51:38 +02:00
br_device.c bridge: move bridge multicast cleanup to ndo_uninit 2017-04-25 14:02:39 -04:00
br_fdb.c net: bridge: Fix improper taking over HW learned FDB 2017-04-30 22:46:32 -04:00
br_forward.c bridge: add per-port broadcast flood flag 2017-04-27 16:34:29 -04:00
br_if.c bridge: add per-port broadcast flood flag 2017-04-27 16:34:29 -04:00
br_input.c bridge: drop netfilter fake rtable unconditionally 2017-03-13 13:01:10 -07:00
br_ioctl.c bridge: move to workqueue gc 2017-02-06 22:53:13 -05:00
br_mdb.c net: rtnetlink: plumb extended ack to doit function 2017-04-17 15:35:38 -04:00
br_multicast.c bridge: implement missing ndo_uninit() 2017-04-11 22:22:44 -04:00
br_netfilter_hooks.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-03-23 16:41:27 -07:00
br_netfilter_ipv6.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
br_netlink_tunnel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
br_netlink.c bridge: netlink: account for IFLA_BRPORT_{B, M}CAST_FLOOD size and policy 2017-05-05 11:21:03 -04:00
br_nf_core.c net: Remove protocol from struct dst_ops 2015-03-09 16:06:10 -04:00
br_private_stp.h net: bridge: add helper to set topology change 2016-12-10 21:27:23 -05:00
br_private_tunnel.h bridge: vlan dst_metadata hooks in ingress and egress paths 2017-02-03 15:21:22 -05:00
br_private.h bridge: implement missing ndo_uninit() 2017-04-11 22:22:44 -04:00
br_stp_bpdu.c netfilter: Pass net into okfn 2015-09-17 17:18:37 -07:00
br_stp_if.c bridge: move to workqueue gc 2017-02-06 22:53:13 -05:00
br_stp_timer.c bridge: move to workqueue gc 2017-02-06 22:53:13 -05:00
br_stp.c bridge: move to workqueue gc 2017-02-06 22:53:13 -05:00
br_switchdev.c bridge: switchdev: Add forward mark support for stacked devices 2016-08-26 13:13:36 -07:00
br_sysfs_br.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
br_sysfs_if.c bridge: add per-port broadcast flood flag 2017-04-27 16:34:29 -04:00
br_vlan_tunnel.c bridge: vlan_tunnel: explicitly reset metadata attrs to NULL on failure 2017-02-17 13:33:41 -05:00
br_vlan.c bridge: Fix error path in nbp_vlan_init 2017-03-01 14:55:28 -08:00
br.c netfilter: bridge: clarify bridge/netfilter message 2016-10-02 22:44:03 -04:00
Kconfig bridge: Add vlan filtering infrastructure 2013-02-13 19:41:46 -05:00
Makefile bridge: per vlan dst_metadata netlink support 2017-02-03 15:21:22 -05:00