summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBadhri Jagan Sridharan <badhri@google.com>2018-06-06 14:09:34 +0000
committerAndroid Partner Code Review <android-gerrit-partner@google.com>2018-06-06 14:09:34 +0000
commitf7a4c053db8272ff190792131bb681d397533111 (patch)
tree3d8381a0c4208dd1346e27322c5418383e37974a
parentd24fa2f91d21e8b80205898d583ab84fc0a6cc1d (diff)
parenta728fec200f452fa7259a06a5d660eb0a6a8f03a (diff)
downloadtegra-f7a4c053db8272ff190792131bb681d397533111.tar.gz
Merge "netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets" into android-chromeos-dragon-3.18android-8.1.0_r0.93
Diffstat
-rw-r--r--net/bridge/netfilter/ebtables.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index d9a8c05d995d..653d72979ee1 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
if (match_kern)
match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+ return -EINVAL;
+
match32 = (struct compat_ebt_entry_mwt *) buf;
}
@@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
*
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
+ for (i = 0; i < 4 ; ++i) {
+ if (offsets[i] >= *total)
+ return -EINVAL;
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
+ return -EINVAL;
+ }
+
for (i = 0, j = 1 ; j < 4 ; j++, i++) {
struct compat_ebt_entry_mwt *match32;
unsigned int size;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-25 04:01:31 +0000