netfilter: nft_hash: fix hash overflow validation

The overflow validation in the init() function establishes that the maximum value that the hash could reach is less than U32_MAX, which is likely to be true. The fix detects the overflow when the maximum hash value is less than the offset itself. Fixes: 70ca767e ("netfilter: nft_hash: Add hash offset value") Reported-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nft_hash: fix hash overflow validation
The overflow validation in the init() function establishes that the maximum value that the hash could reach is less than U32_MAX, which is likely to be true. The fix detects the overflow when the maximum hash value is less than the offset itself. Fixes: 70ca767e ("netfilter: nft_hash: Add hash offset value") Reported-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
14e2dee0 · Laura Garcia Liebana · Pablo Neira Ayuso · 2e917d60 · 14e2dee0
Commit 14e2dee0 authored Sep 13, 2016 by Laura Garcia Liebana Committed by Pablo Neira Ayuso Sep 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/netfilter/nft_hash.c net/netfilter/nft_hash.c +1 -1

No files found.
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -76,7 +76,7 @@ static int nft_hash_init(const struct nft_ctx *ctx,
 	if (priv->modulus <= 1)
 		return -ERANGE;

-	if (priv->offset + priv->modulus - 1 < U32_MAX)
+	if (priv->offset + priv->modulus - 1 < priv->offset)
 		return -EOVERFLOW;

 	priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));