linux/net/ipv4/netfilter
Florian Westphal b29c457a65 netfilter: x_tables: fix compat match/target pad out-of-bound write
xt_compat_match/target_from_user doesn't check that zeroing the area
to start of next rule won't write past end of allocated ruleset blob.

Remove this code and zero the entire blob beforehand.

Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
Reported-by: Andy Nguyen <theflow@google.com>
Fixes: 9fa492cdc1 ("[NETFILTER]: x_tables: simplify compat API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2021-04-13 00:18:57 +02:00
..
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile netfilter: fix coding-style errors. 2019-09-13 11:39:38 +02:00
arp_tables.c netfilter: x_tables: fix compat match/target pad out-of-bound write 2021-04-13 00:18:57 +02:00
arpt_mangle.c netfilter: ipv4: prefer skb_ensure_writable 2019-05-31 18:02:46 +02:00
arptable_filter.c netfilter: arp_tables: add pre_exit hook for table unregister 2021-04-10 21:18:24 +02:00
ip_tables.c netfilter: x_tables: fix compat match/target pad out-of-bound write 2021-04-13 00:18:57 +02:00
ipt_CLUSTERIP.c Replace HTTP links with HTTPS ones: IPv* 2020-07-06 13:23:03 -07:00
ipt_ECN.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
ipt_REJECT.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
ipt_SYNPROXY.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
ipt_ah.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ipt_rpfilter.c netfilter: rpfilter: mask ecn bits before fib lookup 2021-01-19 13:54:30 -08:00
iptable_filter.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_mangle.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
iptable_nat.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_raw.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_security.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
nf_defrag_ipv4.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nf_dup_ipv4.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
nf_flow_table_ipv4.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nf_log_arp.c netfilter: nf_log: missing vlan offload tag and proto 2020-10-14 01:25:14 +02:00
nf_log_ipv4.c netfilter: nf_log: missing vlan offload tag and proto 2020-10-14 01:25:14 +02:00
nf_nat_h323.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_pptp.c netfilter: delete repeated words 2020-08-28 20:11:38 +02:00
nf_nat_snmp_basic.asn1 netfilter: nf_nat_snmp_basic: use asn1 decoder library 2018-01-19 13:59:07 +01:00
nf_nat_snmp_basic_main.c netfilter: ipv4: prefer skb_ensure_writable 2019-05-31 18:02:46 +02:00
nf_reject_ipv4.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
nf_socket_ipv4.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
nf_tproxy_ipv4.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
nft_dup_ipv4.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_fib_ipv4.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_reject_ipv4.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00