iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Dan Carpenter 18a169810c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 
[ Upstream commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 ]

The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on...  On each
iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
element only has space for 4 bytes.  That means that every iteration
overwrites part of the previous element.

I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue.  I think that the reason we have not detected this bug in testing
is that most of time we only write one element.

Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-11-28 17:07:05 +00:00
..
6lowpan
9p
9p: v9fs_listxattr: fix %s null argument warning
2023-11-28 17:07:01 +00:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2022-12-31 13:33:02 +01:00
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-24 17:32:47 +01:00
appletalk
atm
atm: hide unused procfs functions
2023-06-09 10:34:16 +02:00
ax25
ax25: move from strlcpy with unused retval to strscpy
2022-08-22 17:55:50 -07:00
batman-adv
batman-adv: Hold rtnl lock during MTU update via netlink
2023-08-30 16:11:08 +02:00
bluetooth
Bluetooth: Fix double free in hci_conn_cleanup
2023-11-28 17:06:56 +00:00
bpf
Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES"
2023-03-17 08:50:32 +01:00
bpfilter
bridge
netfilter: nf_conntrack_bridge: initialize err to 0
2023-11-28 17:07:05 +00:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:50:24 +01:00
can
can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior
2023-10-19 23:08:52 +02:00
ceph
libceph: use kernel_connect()
2023-10-19 23:08:56 +02:00
core
net: annotate data-races around sk->sk_dst_pending_confirm
2023-11-28 17:06:56 +00:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-11 12:08:17 +02:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:52:16 +01:00
devlink
devlink: remove reload failed checks in params get/set callbacks
2023-09-23 11:11:01 +02:00
dns_resolver
dsa
net: dsa: sja1105: always enable the send_meta options
2023-07-19 16:22:06 +02:00
ethernet
net: gro: skb_gro_header helper function
2022-08-25 10:33:21 +02:00
ethtool
ipv6: Remove in6addr_any alternatives.
2023-09-19 12:28:10 +02:00
hsr
hsr: Prevent use after free in prp_create_tagged_frame()
2023-11-20 11:52:15 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-10-07 09:29:17 +02:00
ife
ipv4
net: set SOCK_RCU_FREE before inserting socket into hashtable
2023-11-28 17:07:04 +00:00
ipv6
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:52:16 +01:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:33:50 +01:00
kcm
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
2023-09-19 12:28:10 +02:00
key
net: af_key: fix sadb_x_filter validation
2023-08-23 17:52:32 +02:00
l2tp
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
2023-10-10 22:00:42 +02:00
l3mdev
lapb
llc
llc: verify mac len before reading mac header
2023-11-20 11:52:15 +01:00
mac80211
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
2023-11-28 17:06:55 +00:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-05 09:53:08 +01:00
mctp
mctp: perform route lookups under a RCU read-side lock
2023-10-19 23:08:57 +02:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:59:53 +01:00
mptcp
mptcp: avoid sending RST when closing the initial subflow
2023-10-25 12:03:16 +02:00
ncsi
ncsi: Propagate carrier gain/loss events to the NCSI controller
2023-10-06 14:56:57 +02:00
netfilter
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
2023-11-28 17:07:05 +00:00
netlabel
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
2023-09-13 09:42:24 +02:00
netlink
netlink: remove the flex array from struct nlmsghdr
2023-10-10 22:00:46 +02:00
netrom
netrom: Deny concurrent connect().
2023-09-13 09:42:35 +02:00
nfc
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
2023-10-25 12:03:04 +02:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-24 17:32:45 +01:00
openvswitch
net: openvswitch: reject negative ifindex
2023-08-23 17:52:35 +02:00
packet
net/packet: annotate data-races around tp->status
2023-08-16 18:27:26 +02:00
phonet
psample
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:35:09 +02:00
rds
net: prevent address rewrite in kernel_bind()
2023-10-19 23:08:50 +02:00
rfkill
net: rfkill: gpio: prevent value glitch during probe
2023-10-25 12:03:06 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:59:42 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:53:35 +02:00
sched
net: sched: cls_u32: Fix allocation size in u32_init()
2023-11-08 14:10:57 +01:00
sctp
sctp: update hb timer immediately after users change hb_interval
2023-10-10 22:00:44 +02:00
smc
net/smc: put sk reference if close work was canceled
2023-11-20 11:52:16 +01:00
strparser
sunrpc
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
2023-11-28 17:07:04 +00:00
switchdev
tipc
tipc: Fix kernel-infoleak due to uninitialized TLV value
2023-11-28 17:07:05 +00:00
tls
tls: Use size_add() in call to struct_size()
2023-11-20 11:51:52 +01:00
unix
af_unix: fix use-after-free in unix_stream_read_actor()
2023-11-28 17:07:05 +00:00
vmw_vsock
vsock: read from socket's error queue
2023-11-28 17:06:56 +00:00
wireless
wifi: cfg80211: add flush functions for wiphy work
2023-11-20 11:51:51 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-09 11:28:13 +01:00
xdp
xsk: Fix xsk_diag use-after-free error during socket cleanup
2023-09-19 12:28:01 +02:00
xfrm
net: xfrm: skip policies marked as dead while reinserting policies
2023-10-25 12:03:12 +02:00
compat.c
use less confusing names for iov_iter direction initializers
2023-02-09 11:28:04 +01:00
devres.c
Kconfig
Remove DECnet support from kernel
2022-08-22 14:26:30 +01:00
Kconfig.debug
net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET
2022-09-20 14:23:56 -07:00
Makefile
devlink: move code to a dedicated directory
2023-08-30 16:11:00 +02:00
socket.c
net: prevent address rewrite in kernel_bind()
2023-10-19 23:08:50 +02:00
sysctl_net.c