From patchwork Sat Sep 22 13:46:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 973581 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="keDWKaq3"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42HWww5d7Vz9s9G for ; Sat, 22 Sep 2018 23:47:12 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732058AbeIVTkt (ORCPT ); Sat, 22 Sep 2018 15:40:49 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:38530 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727013AbeIVTks (ORCPT ); Sat, 22 Sep 2018 15:40:48 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w8MDix1k064119; Sat, 22 Sep 2018 13:46:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2018-07-02; bh=3IAOPSpRkXWIhsHm2byaGgp0knR91p2aRaPCEjJJaZo=; b=keDWKaq3VGV+teUo/P8h+6XWKxpnApyH+/dD9yyc1K7+ItaDw0bhAE79gCn5FCZo5RgC vFZU45EeGhnGBRrAfqhkKYrunPt5w/xeG9BoHoiRImBq63Nvk2Q1HKn+ZBJ+eLOnbwG2 zGVJ1qtX+Kw9dg5/9cY38vF61kbJ26QS64GdFmkIMIHPwo34v18TFBWv07e/Rrwa6EjP VIIxOSCAgMwqaiRcAgf42PKhIbHOwyBdGUdextRYVLxpsl3tSQPTIBQ2Jssj8vmIfBqm S4QJFY0JHu77eWMFEPoWU3CAG7D+yTERNcu3cPb3w2fIuuVkUmgdJug7rAi6XTYw+rme qQ== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2mndpp0u43-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 22 Sep 2018 13:46:58 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w8MDkv7x029155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 22 Sep 2018 13:46:57 GMT Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w8MDktVs001260; Sat, 22 Sep 2018 13:46:56 GMT Received: from mwanda (/197.232.248.111) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 22 Sep 2018 06:46:55 -0700 Date: Sat, 22 Sep 2018 16:46:48 +0300 From: Dan Carpenter To: Jamal Hadi Salim , Patrick McHardy Cc: Cong Wang , Jiri Pirko , "David S. Miller" , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net] net: sched: act_ipt: check for underflow in __tcf_ipt_init() Message-ID: <20180922134648.GA7027@mwanda> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9023 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809220146 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Signed-off-by: Dan Carpenter --- I haven't tested this. Please review carefully. diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index 1efbfb10b1fc..8af6c11d2482 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c @@ -135,7 +135,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla, } td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]); - if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) { + if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) { if (exists) tcf_idr_release(*a, bind); else