lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 05 Jun 2016 23:11:36 +0200
From:	Andreas Schwab <>
To:	Pablo Neira Ayuso <>
Subject: Re: [PATCH 07/23] netfilter: x_tables: check standard target size too

Pablo Neira Ayuso <> writes:

> From: Florian Westphal <>
> We have targets and standard targets -- the latter carries a verdict.
> The ip/ip6tables validation functions will access t->verdict for the
> standard targets to fetch the jump offset or verdict for chainloop
> detection, but this happens before the targets get checked/validated.
> Thus we also need to check for verdict presence here, else t->verdict
> can point right after a blob.
> Spotted with UBSAN while testing malformed blobs.

This breaks iptables on PPC32.

# iptables -nL
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
# modprobe iptable-filter
FATAL: Error inserting iptable_filter (/lib/modules/4.7.0-rc1/kernel/net/ipv4/netfilter/iptable_filter.ko): Invalid argument


Andreas Schwab,
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Powered by blists - more mailing lists