git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 19 Feb 2018 02:01:45 +0000 (03:01 +0100)
committer	Sasha Levin <alexander.levin@microsoft.com>
	Wed, 21 Mar 2018 03:49:52 +0000 (23:49 -0400)
commit	b809f906144dc68bcff91ab74da723fddfcd8061
tree	613647a4fad8b57a35c40f09b97bc8d1de27ac3e	tree
parent	1829a59ba6e8fa6467ea4607cf086b5e2d8d6426	commit \| diff

netfilter: bridge: ebt_among: add missing match size checks

[ Upstream commit c4585a2823edf4d1326da44d1524ecbfda26bb37 ]

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

Therefore it must check that the size of the match structure
provided from userspace is sane by making sure em->match_size
is at least the minimum size of the expected structure.

The module has such a check, but its only done after accessing
a structure that might be out of bounds.

tested with: ebtables -A INPUT ... \
--among-dst fe:fe:fe:fe:fe:fe
--among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe
--among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe

Reported-by: <syzbot+fe0b19af568972814355@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>