netfilter: xt_sctp: validate the flag_info count

walac · vvarma · commit 425347599381 · 2023-09-19T14:59:02.000+08:00
commit e994764 upstream. sctp_mt_check doesn't validate the flag_count field. An attacker can take advantage of that to trigger a OOB read and leak memory information. Add the field validation in the checkentry function. Fixes: 2e4e6a1 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Cc: stable@vger.kernel.org Reported-by: Lucas Leong <wmliang@infosec.exchange> Signed-off-by: Wander Lairson Costa <wander@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
@@ -150,6 +150,8 @@ static int sctp_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_sctp_info *info = par->matchinfo;
 
+	if (info->flag_count > ARRAY_SIZE(info->flag_info))
+		return -EINVAL;
 	if (info->flags & ~XT_SCTP_VALID_FLAGS)
 		return -EINVAL;
 	if (info->invflags & ~XT_SCTP_VALID_FLAGS)

Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,8 @@ static int sctp_mt_check(const struct xt_mtchk_param *par)`
`150`	`150`	`{`
`151`	`151`	`const struct xt_sctp_info *info = par->matchinfo;`
`152`	`152`
	`153`	`+ if (info->flag_count > ARRAY_SIZE(info->flag_info))`
	`154`	`+ return -EINVAL;`
`153`	`155`	`if (info->flags & ~XT_SCTP_VALID_FLAGS)`
`154`	`156`	`return -EINVAL;`
`155`	`157`	`if (info->invflags & ~XT_SCTP_VALID_FLAGS)`