Tree - rpms/kernel - src.fedoraproject.org

Blob History Raw

		207186f	`Subject: [PATCH nf] netfilter: x_tables: check for size overflow`
		207186f	`From: Florian Westphal <fw () strlen ! de>`
		207186f	`Date: 2016-03-10 0:56:23`
		207186f
		207186f	`Ben Hawkes says:`
		207186f	`integer overflow in xt_alloc_table_info, which on 32-bit systems can`
		207186f	`lead to small structure allocation and a copy_from_user based heap`
		207186f	`corruption.`
		207186f
		207186f	`Reported-by: Ben Hawkes <hawkes@google.com>`
		207186f	`Signed-off-by: Florian Westphal <fw@strlen.de>`
		207186f	`---`
		207186f	`net/netfilter/x_tables.c \| 3 +++`
		207186f	`1 file changed, 3 insertions(+)`
		207186f
		207186f	`diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c`
		207186f	`index c8a0b7d..17a9a9f 100644`
		207186f	`--- a/net/netfilter/x_tables.c`
		207186f	`+++ b/net/netfilter/x_tables.c`
		207186f	`@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)`
		207186f	`struct xt_table_info *info = NULL;`
		207186f	`size_t sz = sizeof(*info) + size;`
		207186f
		207186f	`+ if (sz < sizeof(*info))`
		207186f	`+ return NULL;`
		207186f	`+`
		207186f	`/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */`
		207186f	`if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)`
		207186f	`return NULL;`
		207186f	`--`
		207186f	`2.4.10`