From 35f05905815ca07f5adb3c5998050dd21cd88f23 Mon Sep 17 00:00:00 2001 From: Kirill Korotaev Date: Sat, 4 Feb 2006 02:16:56 -0800 Subject: [PATCH] --- yaml --- r: 19827 b: refs/heads/master c: ee4bb818ae35f68d1f848eae0a7b150a38eb4168 h: refs/heads/master i: 19825: 501f4ca3dc9260ac2513e998aed80688512a2b3c 19823: 33a6712d5f09566c2c392b7d006fec2ad70381b4 v: v3 --- [refs] | 2 +- trunk/net/bridge/netfilter/ebtables.c | 7 +++++++ trunk/net/ipv4/netfilter/arp_tables.c | 7 +++++++ trunk/net/ipv4/netfilter/ip_tables.c | 7 +++++++ trunk/net/ipv6/netfilter/ip6_tables.c | 7 +++++++ 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/[refs] b/[refs] index aa502545da48..b7e4d1c643de 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: df4e9574a36748c3a4d9b03ffca6b42321a797a9 +refs/heads/master: ee4bb818ae35f68d1f848eae0a7b150a38eb4168 diff --git a/trunk/net/bridge/netfilter/ebtables.c b/trunk/net/bridge/netfilter/ebtables.c index 00729b3604f8..cbd4020cc84d 100644 --- a/trunk/net/bridge/netfilter/ebtables.c +++ b/trunk/net/bridge/netfilter/ebtables.c @@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len) BUGPRINT("Entries_size never zero\n"); return -EINVAL; } + /* overflow check */ + if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS - + SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) + return -ENOMEM; + countersize = COUNTER_OFFSET(tmp.nentries) * (highest_possible_processor_id()+1); newinfo = (struct ebt_table_info *) diff --git a/trunk/net/ipv4/netfilter/arp_tables.c b/trunk/net/ipv4/netfilter/arp_tables.c index afe3d8f8177d..dd1048be8a01 100644 --- a/trunk/net/ipv4/netfilter/arp_tables.c +++ b/trunk/net/ipv4/netfilter/arp_tables.c @@ -807,6 +807,13 @@ static int do_replace(void __user *user, unsigned int len) if (len != sizeof(tmp) + tmp.size) return -ENOPROTOOPT; + /* overflow check */ + if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - + SMP_CACHE_BYTES) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; + newinfo = xt_alloc_table_info(tmp.size); if (!newinfo) return -ENOMEM; diff --git a/trunk/net/ipv4/netfilter/ip_tables.c b/trunk/net/ipv4/netfilter/ip_tables.c index 2371b2062c2d..16f47c675fef 100644 --- a/trunk/net/ipv4/netfilter/ip_tables.c +++ b/trunk/net/ipv4/netfilter/ip_tables.c @@ -921,6 +921,13 @@ do_replace(void __user *user, unsigned int len) if (len != sizeof(tmp) + tmp.size) return -ENOPROTOOPT; + /* overflow check */ + if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - + SMP_CACHE_BYTES) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; + newinfo = xt_alloc_table_info(tmp.size); if (!newinfo) return -ENOMEM; diff --git a/trunk/net/ipv6/netfilter/ip6_tables.c b/trunk/net/ipv6/netfilter/ip6_tables.c index 847068fd3367..74ff56c322f4 100644 --- a/trunk/net/ipv6/netfilter/ip6_tables.c +++ b/trunk/net/ipv6/netfilter/ip6_tables.c @@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len) if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) return -EFAULT; + /* overflow check */ + if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - + SMP_CACHE_BYTES) + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; + newinfo = xt_alloc_table_info(tmp.size); if (!newinfo) return -ENOMEM;