angler-fishThe Vulnerability History Project

[NETFILTER] x_tables: fix compat related crash on non-x86

      When iptables userspace adds an ipt_standard_target, it calculates the size
of the entire entry as:

sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target))

ipt_standard_target looks like this:

  struct xt_standard_target
  {
        struct xt_entry_target target;
        int verdict;
  };

xt_entry_target contains a pointer, so when compiled for 64 bit the
structure gets an extra 4 byte of padding at the end. On 32 bit
architectures where iptables aligns to 8 byte it will also have 4
byte padding at the end because it is only 36 bytes large.

The compat_ipt_standard_fn in the kernel adjusts the offsets by

  sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target),

which will always result in 4, even if the structure from userspace
was already padded to a multiple of 8. On x86 this works out by
accident because userspace only aligns to 4, on all other
architectures this is broken and cau
by Billie the Angelfish 2006-05-02 03:12:22 UTC
commit 46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a
Linux Kernel
include/linux/netfilter/x_tables.h
-8
net/ipv4/netfilter/ip_tables.c
+19 -14
expand_less