On Mon, 2018-03-05 at 15:32 +0100, Florian Westphal wrote: > Paolo Abeni <pab...@redhat.com> wrote: > > Currently, when coping ebt compat entries, no checks are in place > > for the offsets provided by user space, so that syzbot was able to > > trigger the following splat: > > --- > > net/bridge/netfilter/ebtables.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/net/bridge/netfilter/ebtables.c > > b/net/bridge/netfilter/ebtables.c > > index 02c4b409d317..54ceaff701fb 100644 > > --- a/net/bridge/netfilter/ebtables.c > > +++ b/net/bridge/netfilter/ebtables.c > > @@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, > > const unsigned char *base, > > unsigned int size; > > char *buf = buf_start + offsets[i]; > > > > - if (offsets[i] > offsets[j]) > > + if (offsets[i] > offsets[j] || offsets[j] > *total) > > return -EINVAL; > > I thought i fixed this via b71812168571fa55e44cdd0254471331b9c4c4c6, > and, after looking at it again I still don't see why that doesn't cover > this :-(
Actually such commit fixes the issues (I just double-checked via syzbot), the issue is I did not pull such changeset before starting investigating this bug. This patch is not needed, thanks. Paolo
