netfilter: nf_tables: check for overflow of rule dlen field Check that the space required for the expressions doesn't exceed the size of the dlen field, which would lead to the iterators crashing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit: 9889840f5988ecfd43b00c9abb83c1804e21406b [log] [tgz]
author: Patrick McHardy <kaber@trash.net> Tue Mar 03 20:04:19 2015 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> Wed Mar 04 18:46:05 2015 +0100
tree: 9124100fd1cb08ea518f56d01b7f0907fd362fe7
parent: 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf [diff] [blame]
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6fb532b..7baafd5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c

@@ -1968,6 +1968,10 @@
 			n++;
 		}
 	}
+	/* Check for overflow of dlen field */
+	err = -EFBIG;
+	if (size >= 1 << 12)
+		goto err1;
 
 	if (nla[NFTA_RULE_USERDATA])
 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);
commit	9889840f5988ecfd43b00c9abb83c1804e21406b	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Tue Mar 03 20:04:19 2015 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	Wed Mar 04 18:46:05 2015 +0100
tree	9124100fd1cb08ea518f56d01b7f0907fd362fe7
parent	8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf [diff] [blame]