Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 14463859 authored by Gustavo A. R. Silva's avatar Gustavo A. R. Silva Committed by Pablo Neira Ayuso
Browse files

netfilter: nfnetlink_cthelper: Remove VLA usage 

In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.

>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
can end up having segfaults that are hard to debug.

Also, fixed as part of the directive to remove all VLAs from
the kernel: https://lkml.org/lkml/2018/3/7/621



Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 8039ab43

net/netfilter/nfnetlink_cthelper.c

+17 −8
Original line number Diff line number Diff line
@@ -314,23 +314,30 @@ nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy, 
static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],

					   struct nf_conntrack_helper *helper)

{

	struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];

	struct nf_conntrack_expect_policy *new_policy;

	struct nf_conntrack_expect_policy *policy;

	int i, err;

	int i, ret = 0;



	new_policy = kmalloc_array(helper->expect_class_max + 1,

				   sizeof(*new_policy), GFP_KERNEL);

	if (!new_policy)

		return -ENOMEM;



	/* Check first that all policy attributes are well-formed, so we don't

	 * leave things in inconsistent state on errors.

	 */

	for (i = 0; i < helper->expect_class_max + 1; i++) {



		if (!tb[NFCTH_POLICY_SET + i])

			return -EINVAL;

		if (!tb[NFCTH_POLICY_SET + i]) {

			ret = -EINVAL;

			goto err;

		}



		err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],

		ret = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],

						      &new_policy[i],

						      tb[NFCTH_POLICY_SET + i]);

		if (err < 0)

			return err;

		if (ret < 0)

			goto err;

	}

	/* Now we can safely update them. */

	for (i = 0; i < helper->expect_class_max + 1; i++) {
@@ -340,7 +347,9 @@ static int nfnl_cthelper_update_policy_all(struct nlattr *tb[], 
		policy->timeout	= new_policy->timeout;

	}



	return 0;

err:

	kfree(new_policy);

	return ret;

}



static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,