netfilter: ipset: add missing range check in bitmap_ip_uadt

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

diff --git a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c
index f37169c7801e37906453e5d76177612e01521d8a..ed99bf9eb27ac3a94c76c83e36f817f6e1df0a27 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -165,11 +165,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
                if (ret)
                        return ret;
-               if (ip > ip_to) {
+               if (ip > ip_to)
                        swap(ip, ip_to);
-                       if (ip < map->first_ip)
-                               return -IPSET_ERR_BITMAP_RANGE;
-               }
        } else if (tb[IPSET_ATTR_CIDR]) {
                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 
@@ -180,7 +177,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
                ip_to = ip;
        }
 
-       if (ip_to > map->last_ip)
+       if (ip < map->first_ip || ip_to > map->last_ip)
                return -IPSET_ERR_BITMAP_RANGE;
 
        for (; !before(ip_to, ip); ip += map->hosts) {