Unverified Commit eda2c973 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8618 CVE-2024-35896 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ZQKPGCDZWWIBIVH5XLZZC34ZFXVEPWXS/ 
CVE-2024-35896

Eric Dumazet (2):
  netfilter: validate user input for expected length
  netfilter: complete validation of user input


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG86 
 
Link:https://gitee.com/openeuler/kernel/pulls/8618

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 3eff6f28 7b31d755

net/bridge/netfilter/ebtables.c

+6 −0
Original line number Diff line number Diff line
@@ -1070,6 +1070,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	struct ebt_table_info *newinfo;

	struct ebt_replace tmp;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1309,6 +1311,8 @@ static int update_counters(struct net *net, sockptr_t arg, unsigned int len) 
{

	struct ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))

		return -EFAULT;
@@ -2238,6 +2242,8 @@ static int compat_update_counters(struct net *net, sockptr_t arg, 
{

	struct compat_ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))

		return -EFAULT;

net/ipv4/netfilter/arp_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -955,6 +955,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -963,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1253,6 +1257,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1261,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv4/netfilter/ip_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1109,6 +1109,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1117,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1493,6 +1497,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1501,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv6/netfilter/ip6_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1127,6 +1127,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1135,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1503,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1511,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;