linux-next/netfilter at 1af7f88af269c4e06a4dc3bc920ff6cdf7471124 - linux-next - MyRedstone

Kernel/linux-next

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-10 07:50:04 +00:00

History

Eric Dumazet 65acf6e050 netfilter: complete validation of user input

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
        return -EINVAL;

Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

2024-04-10 19:42:56 -07:00

..

arp_tables.c

netfilter: complete validation of user input

2024-04-10 19:42:56 -07:00

arpt_mangle.c

netfilter: ipv4: prefer skb_ensure_writable

2019-05-31 18:02:46 +02:00

arptable_filter.c

netfilter: arp_tables: allow use of arpt_do_table as hookfn

2021-10-14 23:06:53 +02:00

ip_tables.c

netfilter: complete validation of user input

2024-04-10 19:42:56 -07:00

ipt_ah.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

ipt_ECN.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-22 08:59:24 -04:00

ipt_REJECT.c

netfilter: use actual socket sk for REJECT action

2020-12-01 14:33:55 +01:00

ipt_rpfilter.c

netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.

2022-10-19 08:46:48 +02:00

ipt_SYNPROXY.c

netfilter: Add MODULE_DESCRIPTION entries to kernel modules

2020-06-25 00:50:31 +02:00

iptable_filter.c

netfilter: iptables: allow use of ipt_do_table as hookfn

2021-10-14 23:06:53 +02:00

iptable_mangle.c

netfilter: xt_mangle: only check verdict part of return value

2023-10-18 10:26:43 +02:00

iptable_nat.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

iptable_raw.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

iptable_security.c

netfilter: iptables: allow use of ipt_do_table as hookfn

2021-10-14 23:06:53 +02:00

Kconfig

netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c

2024-03-28 03:54:02 +01:00

Makefile

netfilter: xtables: allow xtables-nft only builds

2024-01-29 15:43:21 +01:00

nf_defrag_ipv4.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

nf_dup_ipv4.c

netfilter: drop bridge nf reset from nf_reset

2019-10-01 18:42:15 +02:00

nf_nat_h323.c

netfilter: nat: move repetitive nat port reserve loop to a helper

2022-09-07 16:46:04 +02:00

nf_nat_pptp.c

netfilter: conntrack: pptp: use single option structure

2022-02-04 06:30:28 +01:00

nf_nat_snmp_basic_main.c

netfilter: ipv4: prefer skb_ensure_writable

2019-05-31 18:02:46 +02:00

nf_nat_snmp_basic.asn1

treewide: Add SPDX identifier to IETF ASN.1 modules

2023-10-27 18:04:28 +08:00

nf_reject_ipv4.c

netfilter: bridge: replace physindev with physinif in nf_bridge_info

2024-01-17 12:02:49 +01:00

nf_socket_ipv4.c

tcp: Access &tcp_hashinfo via net.

2022-09-20 10:21:49 -07:00

nf_tproxy_ipv4.c

netfilter: tproxy: fix deadlock due to missing BH disable

2023-03-06 12:09:48 +01:00

nft_dup_ipv4.c

netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters

2022-11-15 10:46:34 +01:00

nft_fib_ipv4.c

netfilter: rpfilter/fib: clean up some inconsistent indenting

2022-11-15 10:53:18 +01:00

nft_reject_ipv4.c

netfilter: nf_tables: do not reduce read-only expressions

2022-03-20 00:29:46 +01:00