[patch 05/24] EBTABLES: Prevent wraparounds in checks for entry components sizes.

From: Chris Wright
Date: Thu Dec 14 2006 - 20:41:47 EST

Next message: Chris Wright: "[patch 24/24] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)"
Previous message: Chris Wright: "[patch 15/24] bonding: incorrect bonding state reported via ioctl"
In reply to: Chris Wright: "[patch 15/24] bonding: incorrect bonding state reported via ioctl"
Next in thread: Chris Wright: "[patch 24/24] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.18-stable review patch. If anyone has any objections, please let us know.
------------------

From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>

---
net/bridge/netfilter/ebtables.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)

--- linux-2.6.18.5.orig/net/bridge/netfilter/ebtables.c
+++ linux-2.6.18.5/net/bridge/netfilter/ebtables.c
@@ -360,10 +360,11 @@ ebt_check_match(struct ebt_entry_match *
const char *name, unsigned int hookmask, unsigned int *cnt)
{
struct ebt_match *match;
+ size_t left = ((char *)e + e->watchers_offset) - (char *)m;
int ret;

- if (((char *)m) + m->match_size + sizeof(struct ebt_entry_match) >
- ((char *)e) + e->watchers_offset)
+ if (left < sizeof(struct ebt_entry_match) ||
+ left - sizeof(struct ebt_entry_match) < m->match_size)
return -EINVAL;
match = find_match_lock(m->u.name, &ret, &ebt_mutex);
if (!match)
@@ -389,10 +390,11 @@ ebt_check_watcher(struct ebt_entry_watch
const char *name, unsigned int hookmask, unsigned int *cnt)
{
struct ebt_watcher *watcher;
+ size_t left = ((char *)e + e->target_offset) - (char *)w;
int ret;

- if (((char *)w) + w->watcher_size + sizeof(struct ebt_entry_watcher) >
- ((char *)e) + e->target_offset)
+ if (left < sizeof(struct ebt_entry_watcher) ||
+ left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
return -EINVAL;
watcher = find_watcher_lock(w->u.name, &ret, &ebt_mutex);
if (!watcher)
@@ -595,6 +597,7 @@ ebt_check_entry(struct ebt_entry *e, str
struct ebt_entry_target *t;
struct ebt_target *target;
unsigned int i, j, hook = 0, hookmask = 0;
+ size_t gap = e->next_offset - e->target_offset;
int ret;

/* don't mess with the struct ebt_entries */
@@ -656,8 +659,7 @@ ebt_check_entry(struct ebt_entry *e, str

t->u.target = target;
if (t->u.target == &ebt_standard_target) {
- if (e->target_offset + sizeof(struct ebt_standard_target) >
- e->next_offset) {
+ if (gap < sizeof(struct ebt_standard_target)) {
BUGPRINT("Standard target size too big\n");
ret = -EFAULT;
goto cleanup_watchers;
@@ -668,8 +670,7 @@ ebt_check_entry(struct ebt_entry *e, str
ret = -EFAULT;
goto cleanup_watchers;
}
- } else if ((e->target_offset + t->target_size +
- sizeof(struct ebt_entry_target) > e->next_offset) ||
+ } else if (t->target_size > gap - sizeof(struct ebt_entry_target) ||
(t->u.target->check &&
t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){
module_put(t->u.target->me);

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[patch 24/24] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)"
Previous message: Chris Wright: "[patch 15/24] bonding: incorrect bonding state reported via ioctl"
In reply to: Chris Wright: "[patch 15/24] bonding: incorrect bonding state reported via ioctl"
Next in thread: Chris Wright: "[patch 24/24] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]