-
Willem de Bruijn authored
When looking up an iptables rule, the iptables binary compares the aligned match and target data (XT_ALIGN). In some cases this can exceed the actual data size to include padding bytes. Before commit f77bc5b2 ("iptables: use match, target and data copy_to_user helpers") the malloc()ed bytes were overwritten by the kernel with kzalloced contents, zeroing the padding and making the comparison succeed. After this patch, the kernel copies and clears only data, leaving the padding bytes undefined. Extend the clear operation from data size to aligned data size to include the padding bytes, if any. Padding bytes can be observed in both match and target, and the bug triggered, by issuing a rule with match icmp and target ACCEPT: iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT Fixes: f77bc5b2 ("iptables: use match, target and data copy_to_user helpers") Reported-by:
Paul Moore <pmoore@redhat.com> Reported-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Willem de Bruijn <willemb@google.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
324318f0
