Patchwork netfilter: avoid array overflow in nf_register_hook

login
register
mail settings
Submitter remaper
Date Aug. 24, 2013, 3:07 a.m.
Message ID <1377313651-16096-1-git-send-email-yp.fangdong@gmail.com>
Download mbox | patch
Permalink /patch/269479/
State Not Applicable
Headers show

Comments

Sergei Shtylyov - Aug. 23, 2013, 6:14 p.m.
Hello.

On 08/24/2013 07:07 AM, Dong Fang wrote:

> This patch fix the array overflow in nf_register_hook function

> Signed-off-by: Dong Fang <yp.fangdong@gmail.com>
> ---
>   net/netfilter/core.c |    5 ++++-
>   1 files changed, 4 insertions(+), 1 deletions(-)

> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 2217363..819eee1 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -68,8 +68,11 @@ static DEFINE_MUTEX(nf_hook_mutex);
>   int nf_register_hook(struct nf_hook_ops *reg)
>   {
>   	struct nf_hook_ops *elem;
> -	int err;
> +	int err = -EINVAL;
>
> +	if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >= NF_MAX_HOOKS)
> +		return err;

    Why not just return -EINVAL and avoid unneeded 'err' initialization?

> +
>   	err = mutex_lock_interruptible(&nf_hook_mutex);
>   	if (err < 0)
>   		return err;

WBR, Sergei


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
remaper - Aug. 24, 2013, 3:07 a.m.
This patch fix the array overflow in nf_register_hook function

Signed-off-by: Dong Fang <yp.fangdong@gmail.com>
---
 net/netfilter/core.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

Patch

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 2217363..819eee1 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -68,8 +68,11 @@  static DEFINE_MUTEX(nf_hook_mutex);
 int nf_register_hook(struct nf_hook_ops *reg)
 {
 	struct nf_hook_ops *elem;
-	int err;
+	int err = -EINVAL;
 
+	if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >= NF_MAX_HOOKS)
+		return err;
+
 	err = mutex_lock_interruptible(&nf_hook_mutex);
 	if (err < 0)
 		return err;