netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

BugLink: https://bugs.launchpad.net/bugs/1840335 [ Upstream commit eda3fc50 ] If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
BugLink: https://bugs.launchpad.net/bugs/1840335 [ Upstream commit eda3fc50 ] If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
235ee330 · Phil Turnbull · Stefan Bader · 2d4cdd66 · 235ee330
Commit 235ee330 authored May 03, 2016 by Phil Turnbull Committed by Stefan Bader Sep 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

net/netfilter/nfnetlink_acct.c net/netfilter/nfnetlink_acct.c +2 -0

No files found.
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -97,6 +97,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
 			return -EINVAL;
 		if (flags & NFACCT_F_OVERQUOTA)
 			return -EINVAL;
+		if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
+			return -EINVAL;

 		size += sizeof(u64);
 	}