netfilter: nftables: exthdr: fix 4-byte stack OOB write
authorFlorian Westphal <fw@strlen.de>
Tue, 5 Sep 2023 21:13:56 +0000 (23:13 +0200)
committerFlorian Westphal <fw@strlen.de>
Wed, 6 Sep 2023 16:03:02 +0000 (18:03 +0200)
commitfd94d9dadee58e09b49075240fe83423eb1dcd36
treeeed2c24f681c4bf05a3af101844768a1bbc5c0b5
parent1a961e74d5abbea049588a3d74b759955b4ed9d5
netfilter: nftables: exthdr: fix 4-byte stack OOB write

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
net/netfilter/nft_exthdr.c