]> Pileus Git - ~andy/linux/blobdiff - net/ipv4/netfilter/arp_tables.c
projects / ~andy / linux / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables
[~andy/linux] / net / ipv4 / netfilter / arp_tables.c
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index df4854cf598bbea46da6b19b6c2bb0ffdc0436fe..413c2d0a1f3dee117db48289865279113f70e348 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -56,8 +56,6 @@ do {                                                          \
 #define ARP_NF_ASSERT(x)
 #endif
 
-#include <linux/netfilter_ipv4/listhelp.h>
-
 static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
                                      char *hdr_addr, int len)
 {
@@ -82,7 +80,7 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
 {
        char *arpptr = (char *)(arphdr + 1);
        char *src_devaddr, *tgt_devaddr;
-       u32 src_ipaddr, tgt_ipaddr;
+       __be32 src_ipaddr, tgt_ipaddr;
        int i, ret;
 
 #define FWINV(bool,invflg) ((bool) ^ !!(arpinfo->invflags & invflg))
@@ -208,8 +206,7 @@ static unsigned int arpt_error(struct sk_buff **pskb,
                               const struct net_device *out,
                               unsigned int hooknum,
                               const struct xt_target *target,
-                              const void *targinfo,
-                              void *userinfo)
+                              const void *targinfo)
 {
        if (net_ratelimit())
                printk("arp_tables: error: '%s'\n", (char *)targinfo);
@@ -226,8 +223,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
                           unsigned int hook,
                           const struct net_device *in,
                           const struct net_device *out,
-                          struct arpt_table *table,
-                          void *userdata)
+                          struct arpt_table *table)
 {
        static const char nulldevname[IFNAMSIZ];
        unsigned int verdict = NF_DROP;
@@ -236,7 +232,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
        struct arpt_entry *e, *back;
        const char *indev, *outdev;
        void *table_base;
-       struct xt_table_info *private = table->private;
+       struct xt_table_info *private;
 
        /* ARP header, plus 2 device addresses, plus 2 IP addresses.  */
        if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) +
@@ -248,6 +244,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
        outdev = out ? out->name : nulldevname;
 
        read_lock_bh(&table->lock);
+       private = table->private;
        table_base = (void *)private->entries[smp_processor_id()];
        e = get_entry(table_base, private->hook_entry[hook]);
        back = get_entry(table_base, private->underflow[hook]);
@@ -301,8 +298,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
                                                                     in, out,
                                                                     hook,
                                                                     t->u.kernel.target,
-                                                                    t->data,
-                                                                    userdata);
+                                                                    t->data);
 
                                /* Target might have changed stuff. */
                                arp = (*pskb)->nh.arph;
@@ -470,7 +466,13 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
                return -EINVAL;
        }
 
+       if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
+               return -EINVAL;
+
        t = arpt_get_target(e);
+       if (e->target_offset + t->u.target_size > e->next_offset)
+               return -EINVAL;
+
        target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
                                                        t->u.user.revision),
                                         "arpt_%s", t->u.user.name);
@@ -489,12 +491,10 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
        if (t->u.kernel.target == &arpt_standard_target) {
                if (!standard_check(t, size)) {
                        ret = -EINVAL;
-                       goto out;
+                       goto err;
                }
        } else if (t->u.kernel.target->checkentry
                   && !t->u.kernel.target->checkentry(name, e, target, t->data,
-                                                     t->u.target_size
-                                                     - sizeof(*t),
                                                      e->comefrom)) {
                duprintf("arp_tables: check failed for `%s'.\n",
                         t->u.kernel.target->name);
@@ -561,8 +561,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
 
        t = arpt_get_target(e);
        if (t->u.kernel.target->destroy)
-               t->u.kernel.target->destroy(t->u.kernel.target, t->data,
-                                           t->u.target_size - sizeof(*t));
+               t->u.kernel.target->destroy(t->u.kernel.target, t->data);
        module_put(t->u.kernel.target->me);
        return 0;
 }
@@ -628,20 +627,18 @@ static int translate_table(const char *name,
                }
        }
 
-       if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
-               duprintf("Looping hook\n");
-               return -ELOOP;
-       }
-
        /* Finally, each sanity check must pass */
        i = 0;
        ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
                                 check_entry, name, size, &i);
 
-       if (ret != 0) {
-               ARPT_ENTRY_ITERATE(entry0, newinfo->size,
-                                  cleanup_entry, &i);
-               return ret;
+       if (ret != 0)
+               goto cleanup;
+
+       ret = -ELOOP;
+       if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+               duprintf("Looping hook\n");
+               goto cleanup;
        }
 
        /* And one copy for every other CPU */
@@ -650,6 +647,9 @@ static int translate_table(const char *name,
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
 
+       return 0;
+cleanup:
+       ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
        return ret;
 }
 
@@ -1203,6 +1203,8 @@ err1:
 static void __exit arp_tables_fini(void)
 {
        nf_unregister_sockopt(&arpt_sockopts);
+       xt_unregister_target(&arpt_error_target);
+       xt_unregister_target(&arpt_standard_target);
        xt_proto_fini(NF_ARP);
 }
 
Andy's Linux Kernel repo