netfilter: nf_tables: check for overflow of rule dlen field

commit 9889840f upstream. Check that the space required for the expressions doesn't exceed the size of the dlen field, which would lead to the iterators crashing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

netfilter: nf_tables: check for overflow of rule dlen field
commit 9889840f upstream. Check that the space required for the expressions doesn't exceed the size of the dlen field, which would lead to the iterators crashing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
588ef6ec · Patrick McHardy · Luis Henriques · 9aa16680 · 588ef6ec
Commit 588ef6ec authored Mar 03, 2015 by Patrick McHardy Committed by Luis Henriques May 20, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

net/netfilter/nf_tables_api.c net/netfilter/nf_tables_api.c +4 -0

No files found.
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1794,6 +1794,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 			n++;
 		}
 	}
+	/* Check for overflow of dlen field */
+	err = -EFBIG;
+	if (size >= 1 << 12)
+		goto err1;

 	if (nla[NFTA_RULE_USERDATA])
 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);