Unverified Commit ff720831 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8619 CVE-2024-35896 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5ACOGSWXJKYQMY6FCKPGUVNQZNY7EMFT/ 
CVE-2024-35896

Eric Dumazet (2):
  netfilter: validate user input for expected length
  netfilter: complete validation of user input


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG86 
 
Link:https://gitee.com/openeuler/kernel/pulls/8619

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 3a72a53a efb68683

net/bridge/netfilter/ebtables.c

+6 −0
Original line number Diff line number Diff line
@@ -1070,6 +1070,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	struct ebt_table_info *newinfo;

	struct ebt_replace tmp;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1309,6 +1311,8 @@ static int update_counters(struct net *net, sockptr_t arg, unsigned int len) 
{

	struct ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))

		return -EFAULT;
@@ -2239,6 +2243,8 @@ static int compat_update_counters(struct net *net, sockptr_t arg, 
{

	struct compat_ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))

		return -EFAULT;

net/ipv4/netfilter/arp_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -955,6 +955,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -963,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1253,6 +1257,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1261,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv4/netfilter/ip_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1110,6 +1110,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1118,6 +1120,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1494,6 +1498,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1502,6 +1508,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv6/netfilter/ip6_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1128,6 +1128,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1136,6 +1138,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1504,6 +1508,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1512,6 +1518,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;