netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length

Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-03-08 20:29:10 +0100
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-03-08 20:36:17 +0100
commit: d8aacd87180141ff6b812b53de77a4336e87c91a (patch)
tree: 66fe7872cb80156e6e58e9b95978d6fb9a6f3063 /net/netfilter/ipset/ip_set_bitmap_ipmac.c
parent: 45040978c8994d1401baf5cc5ac71c1495d4e120 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 29dde208381d..9a065f672d3a 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -267,6 +267,8 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
 
 	e.id = ip_to_id(map, ip);
 	if (tb[IPSET_ATTR_ETHER]) {
+		if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
+			return -IPSET_ERR_PROTOCOL;
 		memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
 		e.add_mac = 1;
 	}
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2016-03-08 20:29:10 +0100
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2016-03-08 20:36:17 +0100
commit	d8aacd87180141ff6b812b53de77a4336e87c91a (patch)
tree	66fe7872cb80156e6e58e9b95978d6fb9a6f3063 /net/netfilter/ipset/ip_set_bitmap_ipmac.c
parent	45040978c8994d1401baf5cc5ac71c1495d4e120 (diff)