net: sched: act_ipt: check for underflow in __tcf_ipt_init()

commit aeadd93f2b0a609f603ac33e574b97a9832d1b90 upstream. If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Change-Id: I0b735c25e7fedda87bb30d78983175b9a4e8a294 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Dan Carpenter <dan.carpenter@oracle.com> 2018-09-22 16:46:48 +0300
committer: Moyster <oysterized@gmail.com> 2019-05-03 19:24:03 +0200
commit: 14e7a4c00404a80225e73fe793c5590c8bce8431 (patch)
tree: 4de5c142c71f8b68d9d01d48a9283355f66c0ae7 /net
parent: ea6ffce4ebbbde90e9d81fa8052d7098474531d8 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 60d88b6b9..37d6fae50 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -127,7 +127,7 @@ static int tcf_ipt_init(struct net *net, struct nlattr *nla, struct nlattr *est,
 		return -EINVAL;
 
 	td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
-	if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size)
+	if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size)
 		return -EINVAL;
 
 	if (tb[TCA_IPT_INDEX] != NULL)
author	Dan Carpenter <dan.carpenter@oracle.com>	2018-09-22 16:46:48 +0300
committer	Moyster <oysterized@gmail.com>	2019-05-03 19:24:03 +0200
commit	14e7a4c00404a80225e73fe793c5590c8bce8431 (patch)
tree	4de5c142c71f8b68d9d01d48a9283355f66c0ae7 /net
parent	ea6ffce4ebbbde90e9d81fa8052d7098474531d8 (diff)