git.samba.org - ksmbd.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 9 Apr 2024 12:07:41 +0000 (12:07 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 17 Apr 2024 09:19:30 +0000 (11:19 +0200)
commit	89242d9584c342cb83311b598d9e6b82572eadf8
tree	895c851a1c7cdf70ea0be5761d4bf76f39a7c7a9	tree
parent	e2c680fce9854222e535c1746d02c18765b9edd2	commit \| diff

netfilter: complete validation of user input

[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
return -EINVAL;

Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history