projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ee0b6f4)
net: sched: act_ipt: check for underflow in __tcf_ipt_init()
authorDan Carpenter <dan.carpenter@oracle.com>
Sat, 22 Sep 2018 13:46:48 +0000 (16:46 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 2 Oct 2018 05:34:14 +0000 (22:34 -0700)
If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we
return -EINVAL.  But we don't check whether it's smaller than
sizeof(struct xt_entry_target) and that could lead to an out of bounds
read.

Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/act_ipt.c patch | blob | history

diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 23273b5..8525de8 100644 (file)
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -135,7 +135,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla,
        }
 
        td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
-       if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
+       if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) {
                if (exists)
                        tcf_idr_release(*a, bind);
                else
Domain: System / Kernel;