summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2015-03-03 20:04:19 +0000
committerPablo Neira Ayuso <pablo@netfilter.org>2015-03-04 18:46:05 +0100
commit9889840f5988ecfd43b00c9abb83c1804e21406b (patch)
tree9124100fd1cb08ea518f56d01b7f0907fd362fe7 /net
parent8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf (diff)
downloadlinux-9889840f5988ecfd43b00c9abb83c1804e21406b.tar.bz2
netfilter: nf_tables: check for overflow of rule dlen field
Check that the space required for the expressions doesn't exceed the size of the dlen field, which would lead to the iterators crashing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_tables_api.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6fb532bf0fdb..7baafd5ab520 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1968,6 +1968,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
n++;
}
}
+ /* Check for overflow of dlen field */
+ err = -EFBIG;
+ if (size >= 1 << 12)
+ goto err1;
if (nla[NFTA_RULE_USERDATA])
ulen = nla_len(nla[NFTA_RULE_USERDATA]);