1 |
From d886a5d79d449a2407f137dc196d76e5a6e39f42 Mon Sep 17 00:00:00 2001 |
2 |
From: Sasha Levin <sashal@kernel.org> |
3 |
Date: Sun, 21 Aug 2022 11:47:04 +0200 |
4 |
Subject: netfilter: nft_payload: report ERANGE for too long offset and length |
5 |
|
6 |
From: Pablo Neira Ayuso <pablo@netfilter.org> |
7 |
|
8 |
[ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ] |
9 |
|
10 |
Instead of offset and length are truncation to u8, report ERANGE. |
11 |
|
12 |
Fixes: 96518518cc41 ("netfilter: add nftables") |
13 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
14 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
15 |
--- |
16 |
net/netfilter/nft_payload.c | 10 ++++++++-- |
17 |
1 file changed, 8 insertions(+), 2 deletions(-) |
18 |
|
19 |
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c |
20 |
index 2e7ac007cb30f..4fee67abfe2c5 100644 |
21 |
--- a/net/netfilter/nft_payload.c |
22 |
+++ b/net/netfilter/nft_payload.c |
23 |
@@ -833,6 +833,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, |
24 |
{ |
25 |
enum nft_payload_bases base; |
26 |
unsigned int offset, len; |
27 |
+ int err; |
28 |
|
29 |
if (tb[NFTA_PAYLOAD_BASE] == NULL || |
30 |
tb[NFTA_PAYLOAD_OFFSET] == NULL || |
31 |
@@ -859,8 +860,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, |
32 |
if (tb[NFTA_PAYLOAD_DREG] == NULL) |
33 |
return ERR_PTR(-EINVAL); |
34 |
|
35 |
- offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); |
36 |
- len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); |
37 |
+ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); |
38 |
+ if (err < 0) |
39 |
+ return ERR_PTR(err); |
40 |
+ |
41 |
+ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); |
42 |
+ if (err < 0) |
43 |
+ return ERR_PTR(err); |
44 |
|
45 |
if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && |
46 |
base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER) |
47 |
-- |
48 |
2.35.1 |
49 |
|