diff options
| author | Florian Westphal <fw@strlen.de> | 2023-09-05 23:13:56 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-09-06 18:03:02 +0200 |
| commit | fd94d9dadee58e09b49075240fe83423eb1dcd36 (patch) | |
| tree | eed2c24f681c4bf05a3af101844768a1bbc5c0b5 /scripts/gdb/linux/utils.py | |
| parent | 1a961e74d5abbea049588a3d74b759955b4ed9d5 (diff) | |
netfilter: nftables: exthdr: fix 4-byte stack OOB write
If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.
This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.
The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.
Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'scripts/gdb/linux/utils.py')
0 files changed, 0 insertions, 0 deletions