Re: [PATCH 4.19 38/38] netfilter: ctnetlink: add a range check for l3/l4 protonum

[Pavel Machek]

Hi!

> From: Will McVicker <willmcvicker@xxxxxxxxxx>
> 
> commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream.
> 
> The indexes to the nf_nat_l[34]protos arrays come from userspace. So
> check the tuple's family, e.g. l3num, when creating the conntrack in
> order to prevent an OOB memory access during setup.  Here is an example
> kernel panic on 4.14.180 when userspace passes in an index greater than
> NFPROTO_NUMPROTO.

Since this protects against OOB array access, should it use _nospec()
variant to protect from speculation attacks?

Best regards,
								Pavel

> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlatt
>  	if (!tb[CTA_TUPLE_IP])
>  		return -EINVAL;
>  
> +	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
> +		return -EOPNOTSUPP;
>  	tuple->src.l3num = l3num;
>  
>  	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
> 

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachment: signature.asc
Description: Digital signature