netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length

Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-03-08 20:29:10 +0100
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-03-08 20:29:10 +0100
commit: 367e198805de5027da779ab86cebd4a2c69c75d8 (patch)
tree: 16b0f5183b451b174696fee7b571e0a1274e5aa4 /kernel/net/netfilter/ipset/ip_set_hash_mac.c
parent: 7dcaf666bbc8290f8eb0eb3ec4dd0c5631020347 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_hash_mac.c b/kernel/net/netfilter/ipset/ip_set_hash_mac.c
index f1e7d2c..8f004ed 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_mac.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_mac.c
@@ -110,7 +110,8 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[],
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 
-	if (unlikely(!tb[IPSET_ATTR_ETHER]))
+	if (unlikely(!tb[IPSET_ATTR_ETHER] ||
+		     nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN))
 		return -IPSET_ERR_PROTOCOL;
 
 	ret = ip_set_get_extensions(set, tb, &ext);
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2016-03-08 20:29:10 +0100
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2016-03-08 20:29:10 +0100
commit	367e198805de5027da779ab86cebd4a2c69c75d8 (patch)
tree	16b0f5183b451b174696fee7b571e0a1274e5aa4 /kernel/net/netfilter/ipset/ip_set_hash_mac.c
parent	7dcaf666bbc8290f8eb0eb3ec4dd0c5631020347 (diff)