lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Sep 2020 16:36:08 +0100 From: Will Deacon <will@...nel.org> To: Pablo Neira Ayuso <pablo@...filter.org> Cc: William Mcvicker <willmcvicker@...gle.com>, security@...nel.org, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, Florian Westphal <fw@...len.de>, "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-team@...roid.com, stable@...r.kernel.org Subject: Re: [PATCH v2 1/1] netfilter: nat: add a range check for l3/l4 protonum Hi Will, Pablo, On Tue, Aug 04, 2020 at 01:37:11PM +0200, Pablo Neira Ayuso wrote: > This patch is much smaller and if you confirm this is address the > issue, then this is awesome. Did that ever get confirmed? AFAICT, nothing ended up landing in the stable trees for this. Cheers, Will > On Mon, Aug 03, 2020 at 06:31:56PM +0000, William Mcvicker wrote: > [...] > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > > index 31fa94064a62..56d310f8b29a 100644 > > --- a/net/netfilter/nf_conntrack_netlink.c > > +++ b/net/netfilter/nf_conntrack_netlink.c > > @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], > > if (!tb[CTA_TUPLE_IP]) > > return -EINVAL; > > > > + if (l3num >= NFPROTO_NUMPROTO) > > + return -EINVAL; > > l3num can only be either NFPROTO_IPV4 or NFPROTO_IPV6. > > Other than that, bail out with EOPNOTSUPP. > > Thank you.
Powered by blists - more mailing lists