Hi!
From: Will McVicker willmcvicker@google.com
commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream.
The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO.
Since this protects against OOB array access, should it use _nospec() variant to protect from speculation attacks?
Best regards, Pavel
+++ b/net/netfilter/nf_conntrack_netlink.c @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlatt if (!tb[CTA_TUPLE_IP]) return -EINVAL;
- if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
return -EOPNOTSUPP;err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);