CVE-2018-5703 : Skipped due to fix rejected upstream
netfilter: add back stackpointer size checks
commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
The rationale for removing the check is only correct for rulesets
generated by ip(6)tables.
In iptables, a jump can only occur to a user-defined chain, i.e.
because we size the stack based on number of user-defined chains we
cannot exceed stack size.
However, the underlying binary format has no such restriction,
and the validation step only ensures that the jump target is a
valid rule start point.
IOW, its possible to build a rule blob that has no user-defined
chains but does contain a jump.
If this happens, no jump stack gets allocated and crash occurs
because no jumpstack was allocated.
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
Signed-off-by: Florian Westphal <firstname.lastname@example.org>
Signed-off-by: Pablo Neira Ayuso <email@example.com>
Signed-off-by: Greg Kroah-Hartman <firstname.lastname@example.org>
3 files changed