ipfilter: Plug OOB read in ip_nat proxy
Needs ReviewPublic
Actions

Authored by cy on Wed, Oct 22, 11:31 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Oct 30, 3:18 PM

	Unknown Object (File)
	Thu, Oct 30, 2:12 PM

	Unknown Object (File)
	Tue, Oct 28, 5:34 PM

	Unknown Object (File)
	Tue, Oct 28, 5:30 PM

	Unknown Object (File)
	Mon, Oct 27, 5:18 PM

	Unknown Object (File)
	Sun, Oct 26, 10:40 AM

	Unknown Object (File)
	Sun, Oct 26, 10:37 AM

	Unknown Object (File)
	Sun, Oct 26, 1:26 AM

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Summary

ipf_nat_putent() copies an ap_session_t from ipnn->ipn_data and then
uses aps->aps_psiz to allocate and copy a variable-length payload. The
code does not verify that the user-supplied buffer (ipnn->ipn_data)
actually contains at least sizeof(*aps) + aps->aps_psiz bytes. Even if
aps->aps_psiz itself is legitimate (e.g., originating from previously
saved kernel state), a truncated IPFOBJ_NATSAVE object can cause the
subsequent copy to read past the end of ipnn->ipn_data, resulting in an
out-of-bounds read in the kernel.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day