From patchwork Tue Nov 28 21:26:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869482 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=L6NcaLUG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-99-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SfwHn0RwMz23mS for ; Wed, 29 Nov 2023 08:16:37 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 002DD1C20E95 for ; Tue, 28 Nov 2023 21:16:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 930DF42ABD; Tue, 28 Nov 2023 21:16:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="L6NcaLUG" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B277AFA9 for ; Tue, 28 Nov 2023 13:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FjYXymakU1IN6RRsLTqBiUwWOt+nl4d93b72L1uH/dE=; b=L6NcaLUGupRBA75+JqUt34M/ds IKlZ9DFKodVofDeDHibM//uiNzrZPY8Br3xDShU3Lv8jFEr41I3GwAygjXhycvkiJphl0uLoxnioN K/uuIwDy5lLTB7tmwHJtOfVmg0D0EAeTjJV8bATy5OgGGPqP0HhYySGr7Vtb+BTWB1mjhTnmjud/j 3Au4DA8HtvRQ6Mh5BKlJVNAfAR9A/zdlavSJ50HULDQydFXbV/qKcgfirSU5qFPkbN6WsjaQsYjco 4A08KIFoW1jXh+MEvua/8PHoPrHReVKJS3f7nqtlT6Y7/QiVwOxOmZF/+Dn0Hm/dkncP8P8fEKN2k tuZ/xBtw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r85PF-0003ye-4Z for netfilter-devel@vger.kernel.org; Tue, 28 Nov 2023 22:14:09 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 1/2] libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm() Date: Tue, 28 Nov 2023 22:26:30 +0100 Message-ID: <20231128212631.811-2-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231128212631.811-1-phil@nwl.cc> References: <20231128212631.811-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Allocation of the temporary array did not account for a terminating NULL entry, causing array boundary overstepping in the called xtables_merge_options(), causing spurious errors in extension parameter parsing. Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers") Signed-off-by: Phil Sutter --- libxtables/xtoptions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index e27223e339cb2..433a686c2b595 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -93,12 +93,13 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, for (num_new = 0; entry[num_new].name != NULL; ++num_new) ; - mp = xtables_calloc(num_new, sizeof(*mp)); + mp = xtables_calloc(num_new + 1, sizeof(*mp)); for (i = 0; i < num_new; i++) { mp[i].name = entry[i].name; mp[i].has_arg = entry[i].type != XTTYPE_NONE; mp[i].val = entry[i].id; } + merge = xtables_merge_options(orig_opts, oldopts, mp, offset); free(mp); From patchwork Tue Nov 28 21:26:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869480 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=IiPjXTwk; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-98-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SfwFg0gCxz23nk for ; Wed, 29 Nov 2023 08:14:46 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6B58B2830AD for ; Tue, 28 Nov 2023 21:14:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0A9EE42ABF; Tue, 28 Nov 2023 21:14:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="IiPjXTwk" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40F2EAFAF for ; Tue, 28 Nov 2023 13:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hTUc9UTm+HTNYvdwaP5TYnKZtEWGjC78Z3JLO/jAUy0=; b=IiPjXTwk3wHrgmDEuozMVVxw9S SNCb6RYyfOcxIyW27ymRoITXBHkS+Q5T09/ndo2nCOHZXSlTpTmv3jAPjkU3U+2lfJhPDSxwUMI7F HXUCJR7gfmcz0PG7YnMaTQVuYwXWefYheEybjgJ66boVb+Q9FDVEbgIX+BT99NVJ3258MHNrWRIb/ jqS9r2sj1vFflfv+ypV+IjyfMZtHXt50HPuW6H7XewglFZ9xylD/Mo5IGMC/Jm6sHDJcfoenOVcMs XcZDNZvpwQz32/m2jInO8cs30K4ItEhKgFo3tT87WpRr9k1d2OfC5sRsQaup6rnRIws3E2v/oAQiJ yzL92QeA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r85PF-0003ym-QG for netfilter-devel@vger.kernel.org; Tue, 28 Nov 2023 22:14:09 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 2/2] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks Date: Tue, 28 Nov 2023 22:26:31 +0100 Message-ID: <20231128212631.811-3-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231128212631.811-1-phil@nwl.cc> References: <20231128212631.811-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In order to parse the mask, xtopt_parse_hostmask() calls xtopt_parse_plenmask() thereby limiting netmask support to prefix lengths (alternatively specified in IP address notation). In order to lift this impractical restriction, make xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may fall back to xtopt_parse_mask() which correctly initializes val.hmask itself and indicates non-CIDR-compatible masks by setting val.hlen to -1. So in order to support these odd masks, it is sufficient for xtopt_parse_plenmask() to skip its mask building from val.hlen value and take whatever val.hmask contains. Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") Signed-off-by: Phil Sutter --- libxtables/xtoptions.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index 433a686c2b595..02025e99d4832 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -692,6 +692,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) xtopt_parse_plen(cb); + /* may not be convertible to CIDR notation */ + if (cb->val.hlen == (uint8_t)-1) + goto out_put; + memset(mask, 0xFF, sizeof(union nf_inet_addr)); /* This shifting is AF-independent. */ if (cb->val.hlen == 0) { @@ -712,6 +716,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) mask[1] = htonl(mask[1]); mask[2] = htonl(mask[2]); mask[3] = htonl(mask[3]); +out_put: if (entry->flags & XTOPT_PUT) memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); }