netfilter: x_tables: check for size overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Ben Hawkes says:
integer overflow in xt_alloc_table_info, which on 32-bit systems can
lead to small structure allocation and a copy_from_user based heap
corruption.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 10 years ago d157bd76 f0716cd6

1 changed file

expand all

net

netfilter

x_tables.c

net/netfilter/x_tables.c

··· 659 659 struct xt_table_info *info = NULL; 660 660 size_t sz = sizeof(*info) + size; 661 661 662 + if (sz < sizeof(*info)) 663 + return NULL; 664 + 662 665 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ 663 666 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) 664 667 return NULL;