summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorDmitry Mishin <dim@openvz.org>2006-10-30 15:12:55 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2006-10-30 15:24:44 -0800
commit590bdf7fd2292b47c428111cb1360e312eff207e (patch)
treec44b60a5e40b5e16e3478aecb839825b4a602ced /include
parent844dc7c88046ecd2e52596730d7cc400d6c3ad67 (diff)
downloadop-kernel-dev-590bdf7fd2292b47c428111cb1360e312eff207e.zip
op-kernel-dev-590bdf7fd2292b47c428111cb1360e312eff207e.tar.gz
[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables
There is a number of issues in parsing user-provided table in translate_table(). Malicious user with CAP_NET_ADMIN may crash system by passing special-crafted table to the *_tables. The first issue is that mark_source_chains() function is called before entry content checks. In case of standard target, mark_source_chains() function uses t->verdict field in order to determine new position. But the check, that this field leads no further, than the table end, is in check_entry(), which is called later, than mark_source_chains(). The second issue, that there is no check that target_offset points inside entry. If so, *_ITERATE_MATCH macro will follow further, than the entry ends. As a result, we'll have oops or memory disclosure. And the third issue, that there is no check that the target is completely inside entry. Results are the same, as in previous issue. Signed-off-by: Dmitry Mishin <dim@openvz.org> Acked-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud