Commit f1a03d22 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Wentao Guan
Browse files

netfilter: nf_tables: reject mismatching sum of field_len with set key length 

stable inclusion
from stable-v6.6.76
commit 82e491e085719068179ff6a5466b7387cc4bbf32
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBW08Q

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=82e491e085719068179ff6a5466b7387cc4bbf32



--------------------------------

commit 1b9335a8000fb70742f7db10af314104b6ace220 upstream.

The field length description provides the length of each separated key
field in the concatenation, each field gets rounded up to 32-bits to
calculate the pipapo rule width from pipapo_init(). The set key length
provides the total size of the key aligned to 32-bits.

Register-based arithmetics still allows for combining mismatching set
key length and field length description, eg. set key length 10 and field
description [ 5, 4 ] leading to pipapo width of 12.

Cc: stable@vger.kernel.org
Fixes: 3ce67e3793f4 ("netfilter: nf_tables: do not allow mismatch field size and set key length")
Reported-by: default avatarNoam Rathaus <noamr@ssd-disclosure.com>
Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 82e491e085719068179ff6a5466b7387cc4bbf32)
Signed-off-by: default avatarWentao Guan <guanwentao@uniontech.com>
parent cb9b2a60

net/netfilter/nf_tables_api.c

+4 −4
Original line number Diff line number Diff line
@@ -4875,7 +4875,7 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr, 
static int nft_set_desc_concat(struct nft_set_desc *desc,

			       const struct nlattr *nla)

{

	u32 num_regs = 0, key_num_regs = 0;

	u32 len = 0, num_regs;

	struct nlattr *attr;

	int rem, err, i;
@@ -4889,12 +4889,12 @@ static int nft_set_desc_concat(struct nft_set_desc *desc, 
	}



	for (i = 0; i < desc->field_count; i++)

		num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));

		len += round_up(desc->field_len[i], sizeof(u32));



	key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));

	if (key_num_regs != num_regs)

	if (len != desc->klen)

		return -EINVAL;



	num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));

	if (num_regs > NFT_REG32_COUNT)

		return -E2BIG;