diff options
| author | Florian Westphal <fw@strlen.de> | 2016-03-10 01:56:23 +0100 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:13 +0200 |
| commit | 285797021c0503ae56f17c73cc332b80fb5991f0 (patch) | |
| tree | c75c4c6b6e21894d64dbe6f9d87ce420d7c78e34 | |
| parent | 6dd8bc733e896bdeee66992737292cec28ef2339 (diff) | |
| download | kernel_samsung_tuna-285797021c0503ae56f17c73cc332b80fb5991f0.zip kernel_samsung_tuna-285797021c0503ae56f17c73cc332b80fb5991f0.tar.gz kernel_samsung_tuna-285797021c0503ae56f17c73cc332b80fb5991f0.tar.bz2 | |
netfilter: x_tables: check for size overflow
Ben Hawkes says:
integer overflow in xt_alloc_table_info, which on 32-bit systems can
lead to small structure allocation and a copy_from_user based heap
corruption.
Change-Id: I13c554c630651a37e3f6a195e9a5f40cddcb29a1
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/x_tables.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index b0869fe..9d4ad83 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -663,6 +663,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) { struct xt_table_info *newinfo; int cpu; + size_t sz = sizeof(*newinfo) + size; + + if (sz < sizeof(*newinfo)) + return NULL; /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) |