diff options
author | Patrick McHardy <kaber@trash.net> | 2015-03-03 20:04:19 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-04 18:46:05 +0100 |
commit | 9889840f5988ecfd43b00c9abb83c1804e21406b (patch) | |
tree | 9124100fd1cb08ea518f56d01b7f0907fd362fe7 /net | |
parent | 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf (diff) | |
download | infiniband-9889840f5988ecfd43b00c9abb83c1804e21406b.tar.gz |
netfilter: nf_tables: check for overflow of rule dlen field
Check that the space required for the expressions doesn't exceed the
size of the dlen field, which would lead to the iterators crashing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 6fb532bf0fdb52..7baafd5ab52093 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1968,6 +1968,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, n++; } } + /* Check for overflow of dlen field */ + err = -EFBIG; + if (size >= 1 << 12) + goto err1; if (nla[NFTA_RULE_USERDATA]) ulen = nla_len(nla[NFTA_RULE_USERDATA]); |