c301f0981f
The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on... On each
iteration we are writing 8 bytes. But dst[] is an array of u32 so each
element only has space for 4 bytes. That means that every iteration
overwrites part of the previous element.
I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue. I think that the reason we have not detected this bug in testing
is that most of time we only write one element.
Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|---|---|---|
| .. | ||
| ipv4 | ||
| ipv6 | ||
| br_netfilter.h | ||
| nf_bpf_link.h | ||
| nf_conntrack_acct.h | ||
| nf_conntrack_act_ct.h | ||
| nf_conntrack_bpf.h | ||
| nf_conntrack_bridge.h | ||
| nf_conntrack_core.h | ||
| nf_conntrack_count.h | ||
| nf_conntrack_ecache.h | ||
| nf_conntrack_expect.h | ||
| nf_conntrack_extend.h | ||
| nf_conntrack_helper.h | ||
| nf_conntrack_l4proto.h | ||
| nf_conntrack_labels.h | ||
| nf_conntrack_seqadj.h | ||
| nf_conntrack_synproxy.h | ||
| nf_conntrack_timeout.h | ||
| nf_conntrack_timestamp.h | ||
| nf_conntrack_tuple.h | ||
| nf_conntrack_zones.h | ||
| nf_conntrack.h | ||
| nf_dup_netdev.h | ||
| nf_flow_table.h | ||
| nf_hooks_lwtunnel.h | ||
| nf_log.h | ||
| nf_nat_helper.h | ||
| nf_nat_masquerade.h | ||
| nf_nat_redirect.h | ||
| nf_nat.h | ||
| nf_queue.h | ||
| nf_reject.h | ||
| nf_socket.h | ||
| nf_synproxy.h | ||
| nf_tables_core.h | ||
| nf_tables_ipv4.h | ||
| nf_tables_ipv6.h | ||
| nf_tables_offload.h | ||
| nf_tables.h | ||
| nf_tproxy.h | ||
| nft_fib.h | ||
| nft_meta.h | ||
| nft_reject.h | ||
| xt_rateest.h | ||