diff options
| author | Florian Westphal <fw@strlen.de> | 2016-03-10 01:56:23 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-11-17 12:11:46 +0100 |
| commit | a4d579a092054ba04052bb660a7caf1d8a31fe4c (patch) | |
| tree | 2c4b798cfcda7d13f089bcb51e9d21090100d43f /net | |
| parent | f8838b48efe5a690b68eca4634b01f03e04560b4 (diff) | |
netfilter: x_tables: check for size overflow
Ben Hawkes says:
integer overflow in xt_alloc_table_info, which on 32-bit systems can
lead to small structure allocation and a copy_from_user based heap
corruption.
Change-Id: I13c554c630651a37e3f6a195e9a5f40cddcb29a1
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/x_tables.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 76909ac11..155b7f994 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -916,6 +916,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) { struct xt_table_info *newinfo; int cpu; + size_t sz = sizeof(*newinfo) + size; + + if (sz < sizeof(*newinfo)) + return NULL; /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) |