[net,2/5] netfilter: xt_sctp: validate the flag_info count

Message ID	20230830235935.465690-3-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com Subject: [PATCH net 2/5] netfilter: xt_sctp: validate the flag_info count Date: Thu, 31 Aug 2023 01:59:32 +0200 Message-Id: <20230830235935.465690-3-pablo@netfilter.org> In-Reply-To: <20230830235935.465690-1-pablo@netfilter.org> References: <20230830235935.465690-1-pablo@netfilter.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[net,1/5] netfilter: nft_exthdr: Fix non-linear header modification \| expand [net,1/5] netfilter: nft_exthdr: Fix non-linear header modification [net,2/5] netfilter: xt_sctp: validate the flag_info count [net,3/5] netfilter: xt_u32: validate user space input [net,4/5] netfilter: nf_tables: Audit log setelem reset [net,5/5] netfilter: nf_tables: Audit log rule reset

Message ID

20230830235935.465690-3-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
        pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net 2/5] netfilter: xt_sctp: validate the flag_info count
Date: Thu, 31 Aug 2023 01:59:32 +0200
Message-Id: <20230830235935.465690-3-pablo@netfilter.org>
In-Reply-To: <20230830235935.465690-1-pablo@netfilter.org>
References: <20230830235935.465690-1-pablo@netfilter.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[net,1/5] netfilter: nft_exthdr: Fix non-linear header modification | expand

Commit Message

Pablo Neira Ayuso Aug. 30, 2023, 11:59 p.m. UTC

From: Wander Lairson Costa <wander@redhat.com>

sctp_mt_check doesn't validate the flag_count field. An attacker can
take advantage of that to trigger a OOB read and leak memory
information.

Add the field validation in the checkentry function.

Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Cc: stable@vger.kernel.org
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_sctp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index e8961094a282..b46a6a512058 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -149,6 +149,8 @@  static int sctp_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_sctp_info *info = par->matchinfo;
 
+	if (info->flag_count > ARRAY_SIZE(info->flag_info))
+		return -EINVAL;
 	if (info->flags & ~XT_SCTP_VALID_FLAGS)
 		return -EINVAL;
 	if (info->invflags & ~XT_SCTP_VALID_FLAGS)

[net,2/5] netfilter: xt_sctp: validate the flag_info count

Commit Message

Patch