Commit 588ef6ec authored by Patrick McHardy's avatar Patrick McHardy Committed by Luis Henriques

netfilter: nf_tables: check for overflow of rule dlen field

commit 9889840f upstream.

Check that the space required for the expressions doesn't exceed the
size of the dlen field, which would lead to the iterators crashing.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 9aa16680
...@@ -1794,6 +1794,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, ...@@ -1794,6 +1794,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
n++; n++;
} }
} }
/* Check for overflow of dlen field */
err = -EFBIG;
if (size >= 1 << 12)
goto err1;
if (nla[NFTA_RULE_USERDATA]) if (nla[NFTA_RULE_USERDATA])
ulen = nla_len(nla[NFTA_RULE_USERDATA]); ulen = nla_len(nla[NFTA_RULE_USERDATA]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment