diff options
author | Phil Turnbull <phil.turnbull@oracle.com> | 2016-05-03 16:39:19 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-05-05 16:47:08 +0200 |
commit | eda3fc50daa93b08774a18d51883c5a5d8d85e15 (patch) | |
tree | e3bc0a4fb353f4b65d4fcc8c0a29205c25e2d2d3 /net/netfilter/nfnetlink_acct.c | |
parent | cec5913c1515e5619907016658838af4eff78dd3 (diff) |
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
required to trigger the bug.
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nfnetlink_acct.c')
-rw-r--r-- | net/netfilter/nfnetlink_acct.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c index 4c2b4c0c4d5f..dbd0803b1827 100644 --- a/net/netfilter/nfnetlink_acct.c +++ b/net/netfilter/nfnetlink_acct.c @@ -96,6 +96,8 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl, return -EINVAL; if (flags & NFACCT_F_OVERQUOTA) return -EINVAL; + if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA]) + return -EINVAL; size += sizeof(u64); } |