Skip to content

Commit d157bd7

Browse files
Florian Westphalummakynes
Florian Westphal
authored andcommitted
netfilter: x_tables: check for size overflow
Ben Hawkes says: integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. Reported-by: Ben Hawkes <hawkes@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent f0716cd commit d157bd7

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: net/netfilter/x_tables.c

+3
Original file line numberDiff line numberDiff line change
@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
659659
struct xt_table_info *info = NULL;
660660
size_t sz = sizeof(*info) + size;
661661

662+
if (sz < sizeof(*info))
663+
return NULL;
664+
662665
/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
663666
if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
664667
return NULL;

0 commit comments

Comments
 (0)