Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aeadd93f authored by Dan Carpenter's avatar Dan Carpenter Committed by David S. Miller
Browse files

net: sched: act_ipt: check for underflow in __tcf_ipt_init()



If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we
return -EINVAL.  But we don't check whether it's smaller than
sizeof(struct xt_entry_target) and that could lead to an out of bounds
read.

Fixes: 7ba699c6 ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ee0b6f48
Loading
Loading
Loading
Loading
+1 −1
Original line number Original line Diff line number Diff line
@@ -135,7 +135,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla,
	}
	}


	td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
	td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
	if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
	if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) {
		if (exists)
		if (exists)
			tcf_idr_release(*a, bind);
			tcf_idr_release(*a, bind);
		else
		else