Commit cd1748bd authored by David S. Miller's avatar David S. Miller

[NET/COMPAT]: Fix copying of ipt_entry objects in do_netfilter_replace().

As noted by Georg Chini, ipt_entry object are of variable size
so just copying individual struct ipt_entry slots around does
not work.
parent 1910e4dc
...@@ -322,7 +322,7 @@ static int do_netfilter_replace(int fd, int level, int optname, ...@@ -322,7 +322,7 @@ static int do_netfilter_replace(int fd, int level, int optname,
u32 origsize, tmp32, num_counters; u32 origsize, tmp32, num_counters;
unsigned int repl_nat_size; unsigned int repl_nat_size;
int ret; int ret;
int i, num_ents; int i;
compat_uptr_t ucntrs; compat_uptr_t ucntrs;
if (get_user(origsize, &urepl->size)) if (get_user(origsize, &urepl->size))
...@@ -366,15 +366,10 @@ static int do_netfilter_replace(int fd, int level, int optname, ...@@ -366,15 +366,10 @@ static int do_netfilter_replace(int fd, int level, int optname,
__put_user(compat_ptr(ucntrs), &repl_nat->counters)) __put_user(compat_ptr(ucntrs), &repl_nat->counters))
goto out; goto out;
num_ents = origsize / sizeof(struct ipt_entry); if (__copy_in_user(&repl_nat->entries[0],
&urepl->entries[0],
for (i = 0; i < num_ents; i++) { origsize))
struct ipt_entry ent; goto out;
if (__copy_from_user(&ent, &urepl->entries[i], sizeof(ent)) ||
__copy_to_user(&repl_nat->entries[i], &ent, sizeof(ent)))
goto out;
}
for (i = 0; i < NF_IP_NUMHOOKS; i++) { for (i = 0; i < NF_IP_NUMHOOKS; i++) {
if (__get_user(tmp32, &urepl->hook_entry[i]) || if (__get_user(tmp32, &urepl->hook_entry[i]) ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment