diff options
| author |   Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2016-03-08 20:29:10 +0100 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2016-03-08 20:36:17 +0100 |
| commit | d8aacd87180141ff6b812b53de77a4336e87c91a (patch) | |
| tree | 66fe7872cb80156e6e58e9b95978d6fb9a6f3063 /net/netfilter/ipset/ip_set_hash_mac.c | |
| parent | netfilter: ipset: Fix set:list type crash when flush/dump set in parallel (diff) | |
| download | linux-dev-d8aacd87180141ff6b812b53de77a4336e87c91a.tar.xz linux-dev-d8aacd87180141ff6b812b53de77a4336e87c91a.zip | |
netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buffer.
The patch adds the explicit length checkings.
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'net/netfilter/ipset/ip_set_hash_mac.c')
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_mac.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c index f1e7d2c0f685..8f004edad396 100644 --- a/net/netfilter/ipset/ip_set_hash_mac.c +++ b/net/netfilter/ipset/ip_set_hash_mac.c @@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[], if (tb[IPSET_ATTR_LINENO]) *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); - if (unlikely(!tb[IPSET_ATTR_ETHER])) + if (unlikely(!tb[IPSET_ATTR_ETHER] || + nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)) return -IPSET_ERR_PROTOCOL; ret = ip_set_get_extensions(set, tb, &ext); |