netfilter: nft_compat: check match/targetinfo attr size

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We copy according to ->target|matchsize, so check that the netlink attribute
(which can include padding and might be larger) contains enough data.

Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 10 years ago f0716cd6 d387eaf5

1 changed file

expand all

net

netfilter

nft_compat.c

net/netfilter/nft_compat.c

··· 660 660 if (IS_ERR(match)) 661 661 return ERR_PTR(-ENOENT); 662 662 663 + if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) 664 + return ERR_PTR(-EINVAL); 665 + 663 666 /* This is the first time we use this match, allocate operations */ 664 667 nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL); 665 668 if (nft_match == NULL) ··· 742 739 target = xt_request_find_target(family, tg_name, rev); 743 740 if (IS_ERR(target)) 744 741 return ERR_PTR(-ENOENT); 742 + 743 + if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO])) 744 + return ERR_PTR(-EINVAL); 745 745 746 746 /* This is the first time we use this target, allocate operations */ 747 747 nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);