summaryrefslogtreecommitdiff
path: root/net/netfilter/nfnetlink_acct.c
diff options
context:
space:
mode:
authorPhil Turnbull <phil.turnbull@oracle.com>2016-05-03 16:39:19 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2016-05-05 16:47:08 +0200
commiteda3fc50daa93b08774a18d51883c5a5d8d85e15 (patch)
treee3bc0a4fb353f4b65d4fcc8c0a29205c25e2d2d3 /net/netfilter/nfnetlink_acct.c
parentcec5913c1515e5619907016658838af4eff78dd3 (diff)
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nfnetlink_acct.c')
-rw-r--r--net/netfilter/nfnetlink_acct.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 4c2b4c0c4d5f..dbd0803b1827 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -96,6 +96,8 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl,
return -EINVAL;
if (flags & NFACCT_F_OVERQUOTA)
return -EINVAL;
+ if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
+ return -EINVAL;
size += sizeof(u64);
}