diff options
| author | Dmitry Mishin <dim@openvz.org> | 2006-10-31 00:12:55 +0100 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-10-31 00:24:44 +0100 |
| commit | 590bdf7fd2292b47c428111cb1360e312eff207e (patch) | |
| tree | c44b60a5e40b5e16e3478aecb839825b4a602ced /REPORTING-BUGS | |
| parent | [NETFILTER]: remove masq/NAT from ip6tables Kconfig help (diff) | |
| download | linux-590bdf7fd2292b47c428111cb1360e312eff207e.tar.xz linux-590bdf7fd2292b47c428111cb1360e312eff207e.zip | |
[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables
There is a number of issues in parsing user-provided table in
translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
passing special-crafted table to the *_tables.
The first issue is that mark_source_chains() function is called before entry
content checks. In case of standard target, mark_source_chains() function
uses t->verdict field in order to determine new position. But the check, that
this field leads no further, than the table end, is in check_entry(), which
is called later, than mark_source_chains().
The second issue, that there is no check that target_offset points inside
entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
ends. As a result, we'll have oops or memory disclosure.
And the third issue, that there is no check that the target is completely
inside entry. Results are the same, as in previous issue.
Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'REPORTING-BUGS')
0 files changed, 0 insertions, 0 deletions