git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Dave Jones <davej@codemonkey.org.uk>
	Wed, 20 May 2015 00:55:17 +0000 (20:55 -0400)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 20 May 2015 11:46:49 +0000 (13:46 +0200)
commit	1086bbe97a074844188c6c988fa0b1a98c3ccbb9
tree	c4b90cdf9b27072391ec62aa06408e1a57baed1e	tree \| snapshot
parent	3bfe049807c240344b407e3cfb74544927359817	commit \| diff

netfilter: ensure number of counters is >0 in do_replace()

After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:

warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0

It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.

The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/bridge/netfilter/ebtables.c		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history