From: Dan Carpenter Date: Sat, 22 Sep 2018 13:46:48 +0000 (+0300) Subject: net: sched: act_ipt: check for underflow in __tcf_ipt_init() X-Git-Tag: v4.19~103^2~21 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=aeadd93f2b0a609f603ac33e574b97a9832d1b90;p=platform%2Fkernel%2Flinux-rpi.git net: sched: act_ipt: check for underflow in __tcf_ipt_init() If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index 23273b5..8525de81 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c @@ -135,7 +135,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla, } td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]); - if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) { + if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) { if (exists) tcf_idr_release(*a, bind); else