shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 11:13:02 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0
linux/net
History
Pablo Neira Ayuso 550efeff98 netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits 
commit 696e1a48b1 upstream.

If the offset + length goes over the ethernet + vlan header, then the
length is adjusted to copy the bytes that are within the boundaries of
the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
vlan header are copied directly from the skbuff data area.

Fix incorrect arithmetic operator: subtract, not add, the size of the
vlan header in case of double-tagged packets to adjust the length
accordingly to address CVE-2023-0179.

Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Fixes: f6ae9f120d ("netfilter: nft_payload: add C-VLAN support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-18 11:44:51 +01:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen: check logical size for buffer size
2022-12-14 11:31:54 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
net: make free_netdev() more lenient with unregistering devices
2022-07-29 17:19:07 +02:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
2023-01-14 10:15:45 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
bridge: switchdev: Fix memory leaks when changing VLAN protocol
2022-12-02 17:39:57 +01:00
caif
caif: fix memory leak in cfctrl_linkup_request()
2023-01-14 10:16:48 +01:00
can
can: af_can: fix NULL pointer dereference in can_rcv_filter
2022-12-14 11:31:59 +01:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
bpf: pull before calling skb_postpull_rcsum()
2023-01-14 10:16:44 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
2022-12-02 17:40:01 +01:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
docs: networking: convert dns_resolver.txt to ReST
2020-04-28 14:39:46 -07:00
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
net: move devres helpers into a separate source file
2020-05-23 16:56:17 -07:00
ethtool
ethtool: avoiding integer overflow in ethtool_phys_id()
2023-01-14 10:16:18 +01:00
hsr
hsr: Synchronize sequence number updates.
2023-01-14 10:15:37 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
net/ulp: prevent ULP without clone op from entering the LISTEN status
2023-01-14 10:16:52 +01:00
ipv6
net: remove cmsg restriction from io_uring based send/recvmsg calls
2023-01-04 11:39:24 +01:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Fix send_acquire race with pfkey_register
2022-12-02 17:39:58 +01:00
l2tp
net: fix a concurrency bug in l2tp_tunnel_register()
2022-11-25 17:45:54 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
wifi: mac80211: fix memory leak in ieee80211_if_add()
2023-01-14 10:15:36 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 11:11:40 +02:00
mptcp
mptcp: use proper req destructor for IPv6
2023-01-14 10:16:52 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
2023-01-18 11:44:51 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
net: genl: fix error path memory leak in policy dumping
2022-08-25 11:38:07 +02:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 10:54:03 +01:00
nfc
nfc: Fix potential resource leaks
2023-01-14 10:16:45 +01:00
nsh
treewide: replace '---help---' in Kconfig files with 'help'
2020-06-14 01:57:21 +09:00
openvswitch
openvswitch: Fix flow lookup to use unmasked key
2023-01-14 10:16:12 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-14 10:16:29 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
qrtr: Convert qrtr_ports from IDR to XArray
2022-08-25 11:38:23 +02:00
rds
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
2022-10-26 13:25:23 +02:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: Fix NULL pointer dereference in rose_send_frame()
2022-11-10 18:14:19 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-14 10:16:12 +01:00
sched
net: sched: disallow noqueue for qdisc classes
2023-01-14 10:16:52 +01:00
sctp
sctp: sysctl: make extra pointers netns aware
2023-01-14 10:15:44 +01:00
smc
net/smc: Stop the CLC flow if no link to map buffers on
2022-09-28 11:10:36 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: ensure the matching upcall is in-flight upon downcall
2023-01-14 10:16:44 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: call tipc_lxc_xmit without holding node_read_lock
2022-12-14 11:32:04 +01:00
tls
net/tls: Remove the context from the list in tls_device_down
2022-08-03 12:00:46 +02:00
unix
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
2022-12-14 11:32:01 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-14 10:15:42 +01:00
wimax
genetlink: move to smaller ops wherever possible
2020-10-02 19:11:11 -07:00
wireless
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
2023-01-14 10:15:36 +01:00
x25
net/x25: Fix skb leak in x25_lapb_receive_frame()
2022-11-25 17:45:47 +01:00
xdp
xsk: Inherit need_wakeup flag for shared sockets
2022-10-15 07:55:51 +02:00
xfrm
xfrm: replay: Fix ESN wrap around for GSO
2022-12-02 17:39:58 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
net: devres: rename the release callback of devm_register_netdev()
2020-06-30 15:57:34 -07:00
Kconfig
drop_monitor: Convert to using devlink tracepoint
2020-09-30 18:01:26 -07:00
Makefile
net: move devres helpers into a separate source file
2020-05-23 16:56:17 -07:00
socket.c
net: remove cmsg restriction from io_uring based send/recvmsg calls
2023-01-04 11:39:24 +01:00
sysctl_net.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00