summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2018-09-22 16:46:48 +0300
committerDavid S. Miller <davem@davemloft.net>2018-10-01 22:34:14 -0700
commitaeadd93f2b0a609f603ac33e574b97a9832d1b90 (patch)
tree32784e4248856c3d4ca4d65f413d4ef301fb3c06 /net
parentee0b6f4834b59bb0002e2dc8f42a73a399a9246e (diff)
net: sched: act_ipt: check for underflow in __tcf_ipt_init()
If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/sched/act_ipt.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 23273b5303fd..8525de811616 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -135,7 +135,7 @@ static int __tcf_ipt_init(struct net *net, unsigned int id, struct nlattr *nla,
}
td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
- if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
+ if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) {
if (exists)
tcf_idr_release(*a, bind);
else