summaryrefslogtreecommitdiff
path: root/net/ipv6
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2016-04-01 14:17:28 +0200
committerJiri Slaby <jslaby@suse.cz>2016-07-21 08:35:43 +0200
commit1812c704ac70a37c06f239d7c06fd4331a25c779 (patch)
treec89e5feaad3e98c052920e8fc91e7027fbb85dd2 /net/ipv6
parentcaa0e0bfbda8c8e38dec7a907b6365014e0e5659 (diff)
netfilter: x_tables: check for bogus target offset
commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c upstream. We're currently asserting that targetoff + targetsize <= nextoff. Extend it to also check that targetoff is >= sizeof(xt_entry). Since this is generic code, add an argument pointing to the start of the match/target, we can then derive the base structure size from the delta. We also need the e->elems pointer in a followup change to validate matches. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/ip6_tables.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1949305e2613..ac964d914eca 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -732,7 +732,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1500,7 +1501,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e,
+ ret = xt_compat_check_entry_offsets(e, e->elems,
e->target_offset, e->next_offset);
if (ret)
return ret;