[PATCH nf v3] netfilter: x_tables: perform more sanity tests on rule set

3rd iteration. In addition to the problem reported by Ben Hawkes this also adds a few checks to better validate ->next_offset and the target. I checked that ip(6)tables-restore still works w. simple rulesets. The reproducer doesn't work anymore w. patch #4 applied. -- To unsubscribe from this

[PATCH 5/5] netfilter: x_tables: don't move to non-existant next rule

Ben Hawkes reported an out-of-bounds write in mark_source_chains(). This was caused by improper underflow check -- we should have bailed earlier. The underflow check has been fixed in the preceeding change ("netfilter: x_tables: fix unconditional helper"). Just to be safe also add checks to

[PATCH 1/5] netfilter: x_tables: validate e->target_offset early

We should check that e->target_offset is sane before mark_source_chains gets called since it will fetch the target entry for loop detection. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/arp_tables.c | 17 - net/ipv4/netfilter/ip_tables.c | 17

[PATCH 2/5] netfilter: x_tables: make sure e->next_offset covers remaining blob size

Otherwise this function may read data beyond the ruleset blob. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/arp_tables.c | 6 -- net/ipv4/netfilter/ip_tables.c | 6 -- net/ipv6/netfilter/ip6_tables.c | 6 -- 3 files changed, 12 insertions(+), 6

Re: net/sctp: stack-out-of-bounds in sctp_getsockopt

On Tue, 2016-03-22 at 08:21 -0700, Eric Dumazet wrote: > On Tue, 2016-03-22 at 23:08 +0800, Baozeng Ding wrote: > > Hi all, > > > > The following program triggers an out-of-bounds bug in > > sctp_getsockopt. The kernel version is 4.5 (on Mar 16 > > commit

Re: [PATCH 4/4 v5] nftables: rule: Change the field "rule->comment" for an nftnl_udata_buf

On 21/03/16 23:13, Pablo Neira Ayuso wrote: On Tue, Mar 15, 2016 at 09:28:07PM +0100, Carlos Falgueras García wrote: Now it is possible to store multiple variable length user data into rule. Modify the parser in order to fill the nftnl_udata with the comment, and the print function for extract

Re: [PATCH 1/4 v5] libnftnl: Implement new buffer of TLV objects

On 21/03/16 23:10, Pablo Neira Ayuso wrote: On Tue, Mar 15, 2016 at 09:28:04PM +0100, Carlos Falgueras García wrote: These functions allow to create a buffer (nftnl_udata_buf) of TLV objects (nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store several variable length user

Re: [PATCH] openvswitch: Fix checking for new expected connections.

On Mon, Mar 21, 2016 at 11:15:19AM -0700, Jarno Rajahalme wrote: > OVS should call into CT NAT for packets of new expected connections only > when the conntrack state is persisted with the 'commit' option to the > OVS CT action. The test for this condition is doubly wrong, as the CT > status