diff options
| author | Dmitry Mishin <[email protected]> | 2006-10-30 23:12:55 +0000 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2006-10-30 23:24:44 +0000 |
| commit | 590bdf7fd2292b47c428111cb1360e312eff207e (patch) | |
| tree | c44b60a5e40b5e16e3478aecb839825b4a602ced /security/selinux/hooks.c | |
| parent | [NETFILTER]: remove masq/NAT from ip6tables Kconfig help (diff) | |
| download | kernel-590bdf7fd2292b47c428111cb1360e312eff207e.tar.gz kernel-590bdf7fd2292b47c428111cb1360e312eff207e.zip | |
[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables
There is a number of issues in parsing user-provided table in
translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
passing special-crafted table to the *_tables.
The first issue is that mark_source_chains() function is called before entry
content checks. In case of standard target, mark_source_chains() function
uses t->verdict field in order to determine new position. But the check, that
this field leads no further, than the table end, is in check_entry(), which
is called later, than mark_source_chains().
The second issue, that there is no check that target_offset points inside
entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
ends. As a result, we'll have oops or memory disclosure.
And the third issue, that there is no check that the target is completely
inside entry. Results are the same, as in previous issue.
Signed-off-by: Dmitry Mishin <[email protected]>
Acked-by: Kirill Korotaev <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions