/[packages]/backports/8/kernel/current/SOURCES/netfilter-nft_payload-report-erange-for-too-long-off.patch
ViewVC logotype

Contents of /backports/8/kernel/current/SOURCES/netfilter-nft_payload-report-erange-for-too-long-off.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1881590 - (show annotations) (download)
Mon Aug 29 03:49:40 2022 UTC (19 months, 3 weeks ago) by tmb
File size: 1676 byte(s) 
- add current -stable queue
- io_uring: fix issue with io_write() not always undoing sb_start_write()
- HID: input: fix uclogic tablets
1 From d886a5d79d449a2407f137dc196d76e5a6e39f42 Mon Sep 17 00:00:00 2001
2 From: Sasha Levin <sashal@kernel.org>
3 Date: Sun, 21 Aug 2022 11:47:04 +0200
4 Subject: netfilter: nft_payload: report ERANGE for too long offset and length
5
6 From: Pablo Neira Ayuso <pablo@netfilter.org>
7
8 [ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ]
9
10 Instead of offset and length are truncation to u8, report ERANGE.
11
12 Fixes: 96518518cc41 ("netfilter: add nftables")
13 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14 Signed-off-by: Sasha Levin <sashal@kernel.org>
15 ---
16 net/netfilter/nft_payload.c | 10 ++++++++--
17 1 file changed, 8 insertions(+), 2 deletions(-)
18
19 diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
20 index 2e7ac007cb30f..4fee67abfe2c5 100644
21 --- a/net/netfilter/nft_payload.c
22 +++ b/net/netfilter/nft_payload.c
23 @@ -833,6 +833,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
24 {
25 enum nft_payload_bases base;
26 unsigned int offset, len;
27 + int err;
28
29 if (tb[NFTA_PAYLOAD_BASE] == NULL ||
30 tb[NFTA_PAYLOAD_OFFSET] == NULL ||
31 @@ -859,8 +860,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
32 if (tb[NFTA_PAYLOAD_DREG] == NULL)
33 return ERR_PTR(-EINVAL);
34
35 - offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
36 - len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
37 + err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset);
38 + if (err < 0)
39 + return ERR_PTR(err);
40 +
41 + err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len);
42 + if (err < 0)
43 + return ERR_PTR(err);
44
45 if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
46 base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER)
47 --
48 2.35.1
49
  ViewVC Help
Powered by ViewVC 1.1.30