netfilter: nf_tables: validate maximum value of u32 netlink attributes (36b701fa) · Commits · e / devices / android_kernel_fairphone_FP3

include/net/netfilter/nf_tables.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -145,6 +145,7 @@ static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
		return type == NFT_DATA_VERDICT ? NFT_REG_VERDICT : NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE;
		}

		unsigned int nft_parse_u32_check(const struct nlattr attr, int max, u32 dest);
		unsigned int nft_parse_register(const struct nlattr *attr);
		int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);

+25 −0

Original line number	Diff line number	Diff line
		@@ -4409,6 +4409,31 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
		return 0;
		}

		/**
		* nft_parse_u32_check - fetch u32 attribute and check for maximum value
		*
		* @attr: netlink attribute to fetch value from
		* @max: maximum value to be stored in dest
		* @dest: pointer to the variable
		*
		* Parse, check and store a given u32 netlink attribute into variable.
		* This function returns -ERANGE if the value goes over maximum value.
		* Otherwise a 0 is returned and the attribute value is stored in the
		* destination variable.
		*/
		unsigned int nft_parse_u32_check(const struct nlattr attr, int max, u32 dest)
		{
		int val;

		val = ntohl(nla_get_be32(attr));
		if (val > max)
		return -ERANGE;

		*dest = val;
		return 0;
		}
		EXPORT_SYMBOL_GPL(nft_parse_u32_check);

		/**
		* nft_parse_register - parse a register value from a netlink attribute
		*

+7 −1

Original line number	Diff line number	Diff line
		@@ -52,6 +52,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
		{
		struct nft_bitwise *priv = nft_expr_priv(expr);
		struct nft_data_desc d1, d2;
		u32 len;
		int err;

		if (tb[NFTA_BITWISE_SREG] == NULL \|\|
		@@ -61,7 +62,12 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
		tb[NFTA_BITWISE_XOR] == NULL)
		return -EINVAL;

		priv->len = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
		err = nft_parse_u32_check(tb[NFTA_BITWISE_LEN], U8_MAX, &len);
		if (err < 0)
		return err;

		priv->len = len;

		priv->sreg = nft_parse_register(tb[NFTA_BITWISE_SREG]);
		err = nft_validate_register_load(priv->sreg, priv->len);
		if (err < 0)

+13 −2

Original line number	Diff line number	Diff line
		@@ -99,6 +99,7 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
		const struct nlattr * const tb[])
		{
		struct nft_byteorder *priv = nft_expr_priv(expr);
		u32 size, len;
		int err;

		if (tb[NFTA_BYTEORDER_SREG] == NULL \|\|
		@@ -117,7 +118,12 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
		return -EINVAL;
		}

		priv->size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
		err = nft_parse_u32_check(tb[NFTA_BYTEORDER_SIZE], U8_MAX, &size);
		if (err < 0)
		return err;

		priv->size = size;

		switch (priv->size) {
		case 2:
		case 4:
		@@ -128,7 +134,12 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
		}

		priv->sreg = nft_parse_register(tb[NFTA_BYTEORDER_SREG]);
		priv->len = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
		err = nft_parse_u32_check(tb[NFTA_BYTEORDER_LEN], U8_MAX, &len);
		if (err < 0)
		return err;

		priv->len = len;

		err = nft_validate_register_load(priv->sreg, priv->len);
		if (err < 0)
		return err;

+3 −0

Original line number	Diff line number	Diff line
		@@ -84,6 +84,9 @@ static int nft_cmp_init(const struct nft_ctx ctx, const struct nft_expr expr,
		if (err < 0)
		return err;

		if (desc.len > U8_MAX)
		return -ERANGE;

		priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
		priv->len = desc.len;
		return 0;