From patchwork Sat Aug 24 03:04:55 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: remaper <yp.fangdong@gmail.com>
X-Patchwork-Id: 269478
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 29FDB2C0099
	for <incoming@patchwork.ozlabs.org>;
	Sat, 24 Aug 2013 01:06:34 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755438Ab3HWPGY (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Fri, 23 Aug 2013 11:06:24 -0400
Received: from mail-pa0-f41.google.com ([209.85.220.41]:45547 "EHLO
	mail-pa0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755411Ab3HWPGV (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Fri, 23 Aug 2013 11:06:21 -0400
Received: by mail-pa0-f41.google.com with SMTP id bj1so795474pad.0
	for <multiple recipients>; Fri, 23 Aug 2013 08:06:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=UoEMEY+jpD7Qvi55coWwYzUW1T95EInBrputZLbehQs=;
	b=xK3UMyv0ebGKiwsEsSByU/+hYclgJQY0ZNQU//mLitGv+JtBE73Pn5Q8g0bQcAX0My
	ugTrOa9YJhNSWSF2eNvhCmC/SSmLncCNaA3pxBHIPsCrfzcFtRqdX/1//Mf1XnGiXCht
	oVcr2FwVA51OZW+J3AWcTddBgw8nFFeJfcgpV26RMtWFHK0/gZPwO3MJfhuJIkLH55SL
	dfMXQriujMcYwUjJjW4RQ7Ur7JhhpWfqrcOHK3FsrI/J5DvFCseGBxgh3j38gJXyjJCT
	8MiGiyx2FyUdlv9HK/7P+sCoWGfur4lkB9aBc/M4wN9zGVGvqIVKWQhuPWPhbRvQK6Zo
	+PPQ==
X-Received: by 10.66.121.68 with SMTP id li4mr21199903pab.33.1377270380600;
	Fri, 23 Aug 2013 08:06:20 -0700 (PDT)
Received: from localhost.localdomain ([218.18.133.75])
	by mx.google.com with ESMTPSA id bt1sm330588pbb.2.1969.12.31.16.00.00
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Fri, 23 Aug 2013 08:06:19 -0700 (PDT)
From: Dong Fang <yp.fangdong@gmail.com>
To: pablo@netfilter.org, kaber@trash.net, kadlec@blackhole.kfki.hu,
	davem@davemloft.net
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org,
	Dong Fang <yp.fangdong@gmail.com>
Subject: [PATCH] netfilter: avoid array overflow in nf_register_hook
Date: Fri, 23 Aug 2013 23:04:55 -0400
Message-Id: <1377313495-16060-1-git-send-email-yp.fangdong@gmail.com>
X-Mailer: git-send-email 1.7.1
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This patch fix the array overflow in nf_register_hook function

Signed-off-by: Dong Fang <yp.fangdong@gmail.com>
---
 net/netfilter/core.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 2217363..819eee1 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -68,8 +68,11 @@ static DEFINE_MUTEX(nf_hook_mutex);
 int nf_register_hook(struct nf_hook_ops *reg)
 {
 	struct nf_hook_ops *elem;
-	int err;
+	int err = -EINVAL;
 
+	if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >= NF_MAX_HOOKS)
+		return err;
+
 	err = mutex_lock_interruptible(&nf_hook_mutex);
 	if (err < 0)
 		return err;