Skip to content

Commit

Permalink
---
Browse files Browse the repository at this point in the history 
yaml
---
r: 19827
b: refs/heads/master
c: ee4bb81
h: refs/heads/master
i:
  19825: 501f4ca
  19823: 33a6712
v: v3
  • Loading branch information
Kirill Korotaev authored and David S. Miller committed Feb 5, 2006
1 parent 0b73ea1 commit 35f0590
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 1 deletion.
2 changes: 1 addition & 1 deletion [refs]
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
refs/heads/master: df4e9574a36748c3a4d9b03ffca6b42321a797a9
refs/heads/master: ee4bb818ae35f68d1f848eae0a7b150a38eb4168
7 changes: 7 additions & 0 deletions trunk/net/bridge/netfilter/ebtables.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len)
BUGPRINT("Entries_size never zero\n");
return -EINVAL;
}
/* overflow check */
if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;

countersize = COUNTER_OFFSET(tmp.nentries) *
(highest_possible_processor_id()+1);
newinfo = (struct ebt_table_info *)
Expand Down
7 changes: 7 additions & 0 deletions trunk/net/ipv4/netfilter/arp_tables.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -807,6 +807,13 @@ static int do_replace(void __user *user, unsigned int len)
if (len != sizeof(tmp) + tmp.size)
return -ENOPROTOOPT;

/* overflow check */
if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
SMP_CACHE_BYTES)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;

newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
return -ENOMEM;
Expand Down
7 changes: 7 additions & 0 deletions trunk/net/ipv4/netfilter/ip_tables.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,13 @@ do_replace(void __user *user, unsigned int len)
if (len != sizeof(tmp) + tmp.size)
return -ENOPROTOOPT;

/* overflow check */
if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
SMP_CACHE_BYTES)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;

newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
return -ENOMEM;
Expand Down
7 changes: 7 additions & 0 deletions trunk/net/ipv6/netfilter/ip6_tables.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len)
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;

/* overflow check */
if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
SMP_CACHE_BYTES)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;

newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
return -ENOMEM;
Expand Down

0 comments on commit 35f0590

Please sign in to comment.