Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/netfilter/ip6_tables.c

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Xiaotian Feng

Subject: Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/netfilter/ip6_tables.c

Date: Monday, March 22, 2010 - 8:05 pm

On Tue, Mar 23, 2010 at 10:37 AM, wzt wzt <wzt.wzt@gmail.com> wrote:
quoted text>> Patrick's point is that you're using "if (get.size >= INT_MAX /
>> sizeof(struct ipt_get_entries))"
>> So, did you find any chance that get.size * sizeof(struct
>> ipt_get_entries) >= INT_MAX ?
>>
> would you carefully read my explain???
> get.size is copy from the user space,  it can be set as 0x7fffffff,
> addition with sizeof(struct ipt_get_entries) can be overflow.
>

get.size is unsigned int, UINT_MAX is 0x FFFFFFFF, not 0x7FFFFFFF
And you're metioning "addition", then why you're checking as "multiplication"?

quoted text>> And, for the addition overflow, can it be caught by
>>
>> "if (*len != sizeof(struct ipt_get_entries) + get.size)"  ???
>>
> sizeof(struct ipt_get_entries) + get.size can be overflow as *len,
> get.size is control by user space with copy_from_user().


quoted text>
> On Tue, Mar 23, 2010 at 10:29 AM, Xiaotian Feng <xtfeng@gmail.com> wrote:
>> On Tue, Mar 23, 2010 at 9:34 AM, wzt wzt <wzt.wzt@gmail.com> wrote:
>>>> I can see that the size might cause an overflow in the addition with
>>>> sizeof(struct ipt_get_entries)
>>> That's the integer overflow i pointed.
>>> get.size is copy from the user space,  it can be set as 0x7fffffff,
>>> addition with sizeof(struct ipt_get_entries) can be overflow.
>>
>> Patrick's point is that you're using "if (get.size >= INT_MAX /
>> sizeof(struct ipt_get_entries))"
>> So, did you find any chance that get.size * sizeof(struct
>> ipt_get_entries) >= INT_MAX ?
>>
>> And, for the addition overflow, can it be caught by
>>
>> "if (*len != sizeof(struct ipt_get_entries) + get.size)"  ???
>>
>>>
>>>        if (*len != sizeof(struct ipt_get_entries) + get.size) {
>>>                duprintf("get_entries: %u != %zu\n",
>>>                         *len, sizeof(get) + get.size);
>>>                return -EINVAL;
>>>        }
>>>
>>> so, check get.size max value before addition with sizeof(struct
>>> ipt_get_entries) to prevent the integer overflow.
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at  http://www.tux.org/lkml/
>>>
>>
>
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] Netfilter: Fix integer overflow in net/ipv6/netfil ..., wzt.wzt, (Sat Mar 20, 7:32 am)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., Patrick McHardy, (Mon Mar 22, 10:07 am)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., wzt wzt, (Mon Mar 22, 6:34 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., Xiaotian Feng, (Mon Mar 22, 7:29 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., wzt wzt, (Mon Mar 22, 7:37 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., Jan Engelhardt, (Mon Mar 22, 8:04 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., Xiaotian Feng, (Mon Mar 22, 8:05 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., wzt wzt, (Mon Mar 22, 8:11 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., wzt wzt, (Mon Mar 22, 8:48 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., Xiaotian Feng, (Mon Mar 22, 9:49 pm)

Re: [PATCH] Netfilter: Fix integer overflow in net/ipv6/ne ..., wzt wzt, (Mon Mar 22, 10:49 pm)

Navigation

Popular discussions


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Ingo Molnar	Re: [PATCH v3] x86: merge the simple bitops and move them to bitops.h
Jan Engelhardt	Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection
Dmitry Torokhov	Re: [2.6 patch] input/serio/hp_sdc.c section fix
Rafael J. Wysocki	[Bug #16380] Loop devices act strangely in 2.6.35
git:
Steven Grimm	Using git as a general backup mechanism (was Re: Using GIT to store /etc)
Jeff King	Re: [PATCH] git-reset: allow --soft in a bare repo
Johannes Sixt	Re: [PATCH 01/14] msvc: Fix compilation errors in compat/win32/sys/poll.c
Johannes Schindelin	Re: [PATCH] Uninstall rule for top level Makefile
Shawn O. Pearce	Re: [PATCH v2] Speed up bash completion loading
git-commits-head:
Linux Kernel Mailing List	cgroups: clean up cgroup_pidlist_find() a bit
Linux Kernel Mailing List	sony-laptop: Add support for extended hotkeys
Linux Kernel Mailing List	IB/core: Add support for masked atomic operations
Linux Kernel Mailing List	V4L/DVB (8939): cx18: fix sparse warnings
Linux Kernel Mailing List	ipv6 mcast: Check address family of gf_group in getsockopt(MS_FILTER).
linux-netdev:
Inaky Perez-Gonzalez	[PATCH 40/40] wimax/i2400m: add CREDITS and MAINTAINERS entries
Karsten Keil	[mISDN PATCH v2 05/19] Reduce stack size in dsp_cmx_send()
linux	Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?
David Miller	Re: tun: Use netif_receive_skb instead of netif_rx
David Miller	Re: [net-next PATCH v2] llc enhancements
freebsd-current:
Matthew Fleming	Re: [RFC] Outline of USB process integration in the kernel taskqueue system
illoai@gmail.com	Re: OT: 2d password
Hartmut Brandt	Re: problem with nss_ldap
Andrew Reilly	Re: FreeBSD's problems as seen by the BSDForen.de community
Max Laier	Re: Upcoming ABI Breakage in RELENG_7

Colocation donated by:

Syndicate