--- /dev/null
+From c953d63548207a085abcb12a15fefc8a11ffdf0a Mon Sep 17 00:00:00 2001
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 16 May 2017 09:30:18 +0800
+Subject: ebtables: arpreply: Add the standard target sanity check
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream.
+
+The info->target comes from userspace and it would be used directly.
+So we need to add the sanity check to make sure it is a valid standard
+target, although the ebtables tool has already checked it. Kernel needs
+to validate anything coming from userspace.
+
+If the target is set as an evil value, it would break the ebtables
+and cause a panic. Because the non-standard target is treated as one
+offset.
+
+Now add one helper function ebt_invalid_target, and we would replace
+the macro INVALID_TARGET later.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Loic <hackurx@opensec.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter_bridge/ebtables.h | 5 +++++
+ net/bridge/netfilter/ebt_arpreply.c | 3 +++
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -124,4 +124,9 @@ extern unsigned int ebt_do_table(unsigne
+ /* True if the target is not a standard target */
+ #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
+
++static inline bool ebt_invalid_target(int target)
++{
++ return (target < -NUM_STANDARD_TARGETS || target >= 0);
++}
++
+ #endif
+--- a/net/bridge/netfilter/ebt_arpreply.c
++++ b/net/bridge/netfilter/ebt_arpreply.c
+@@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s
+ if (e->ethproto != htons(ETH_P_ARP) ||
+ e->invflags & EBT_IPROTO)
+ return -EINVAL;
++ if (ebt_invalid_target(info->target))
++ return -EINVAL;
++
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
