Message ID | 20220714212828.623587-3-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Focal,1/1] netfilter: nf_tables: stricter validation of element data | expand |
On 14.07.22 23:28, Thadeu Lima de Souza Cascardo wrote: > From: Pablo Neira Ayuso <pablo@netfilter.org> > > Make sure element data type and length do not mismatch the one specified > by the set declaration. > > Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") > Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > CVE-2022-34918 > (backported from commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6) > [cengizcan: target function does not exist until 5.8 so follow history > backwards, find previous place of length check and adapt the change for > 5.4] > Signed-off-by: Cengiz Can <cengiz.can@canonical.com> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- Applied to focal:linux/master-next. Thanks. -Stefan > net/netfilter/nf_tables_api.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 24f18d6a0a50..54efb96705e5 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -4531,6 +4531,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, > struct nft_data data; > enum nft_registers dreg; > struct nft_trans *trans; > + u32 dtype; > u32 flags = 0; > u64 timeout; > u64 expiration; > @@ -4630,7 +4631,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, > goto err2; > > err = -EINVAL; > - if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen) > + > + if (set->dtype == NFT_DATA_VERDICT) > + dtype = NFT_DATA_VERDICT; > + else > + dtype = NFT_DATA_VALUE; > + > + if (dtype != d2.type || set->dlen != d2.len) > goto err3; > > dreg = nft_type_to_reg(set->dtype);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 24f18d6a0a50..54efb96705e5 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4531,6 +4531,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, struct nft_data data; enum nft_registers dreg; struct nft_trans *trans; + u32 dtype; u32 flags = 0; u64 timeout; u64 expiration; @@ -4630,7 +4631,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, goto err2; err = -EINVAL; - if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen) + + if (set->dtype == NFT_DATA_VERDICT) + dtype = NFT_DATA_VERDICT; + else + dtype = NFT_DATA_VALUE; + + if (dtype != d2.type || set->dlen != d2.len) goto err3; dreg = nft_type_to_reg(set->dtype);