netfilter: nf_tables: check for overflow of rule dlen field
authorPatrick McHardy <kaber@trash.net>
Tue, 3 Mar 2015 20:04:19 +0000 (20:04 +0000)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 4 Mar 2015 17:46:05 +0000 (18:46 +0100)
Check that the space required for the expressions doesn't exceed the
size of the dlen field, which would lead to the iterators crashing.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c

index 6fb532bf0fdb522a609d6b9182593344ec48f0a5..7baafd5ab52093bf2148076cbba320e17f6c7e2a 100644 (file)
@@ -1968,6 +1968,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
                        n++;
                }
        }
+       /* Check for overflow of dlen field */
+       err = -EFBIG;
+       if (size >= 1 << 12)
+               goto err1;
 
        if (nla[NFTA_RULE_USERDATA])
                ulen = nla_len(nla[NFTA_RULE_USERDATA]);