diff options
author | Badhri Jagan Sridharan <badhri@google.com> | 2018-06-06 14:09:34 +0000 |
---|---|---|
committer | Android Partner Code Review <android-gerrit-partner@google.com> | 2018-06-06 14:09:34 +0000 |
commit | f7a4c053db8272ff190792131bb681d397533111 (patch) | |
tree | 3d8381a0c4208dd1346e27322c5418383e37974a | |
parent | d24fa2f91d21e8b80205898d583ab84fc0a6cc1d (diff) | |
parent | a728fec200f452fa7259a06a5d660eb0a6a8f03a (diff) | |
download | tegra-f7a4c053db8272ff190792131bb681d397533111.tar.gz |
Merge "netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets" into android-chromeos-dragon-3.18android-8.1.0_r0.93
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index d9a8c05d995d..653d72979ee1 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size; |