Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 87001535 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Greg Kroah-Hartman
Browse files

netfilter: nft_payload: report ERANGE for too long offset and length 



[ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ]

Instead of offset and length are truncation to u8, report ERANGE.

Fixes: 96518518 ("netfilter: add nftables")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent bc7ba4cd

net/netfilter/nft_payload.c

+8 −2
Original line number Diff line number Diff line
@@ -624,6 +624,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, 
{

	enum nft_payload_bases base;

	unsigned int offset, len;

	int err;



	if (tb[NFTA_PAYLOAD_BASE] == NULL ||

	    tb[NFTA_PAYLOAD_OFFSET] == NULL ||
@@ -649,8 +650,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, 
	if (tb[NFTA_PAYLOAD_DREG] == NULL)

		return ERR_PTR(-EINVAL);



	offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));

	len    = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));

	err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset);

	if (err < 0)

		return ERR_PTR(err);



	err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len);

	if (err < 0)

		return ERR_PTR(err);



	if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&

	    base != NFT_PAYLOAD_LL_HEADER)