From patchwork Wed Aug 10 15:30:13 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: nevola <nevola@gmail.com>
X-Patchwork-Id: 657863
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3s8gvd5JN3z9ttl
	for <incoming@patchwork.ozlabs.org>;
	Thu, 11 Aug 2016 05:19:57 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=SclYBiyk;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935705AbcHJTTz (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 10 Aug 2016 15:19:55 -0400
Received: from mail-wm0-f68.google.com ([74.125.82.68]:36354 "EHLO
	mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933591AbcHJTTx (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 10 Aug 2016 15:19:53 -0400
Received: by mail-wm0-f68.google.com with SMTP id i138so11425547wmf.3
	for <netfilter-devel@vger.kernel.org>;
	Wed, 10 Aug 2016 12:19:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=date:from:to:subject:message-id:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=OSTvtiyzcBtnI0tFkhO7it9Sb5KkXLwA/kgEAhYsT9Y=;
	b=SclYBiykvER/dY4729aJZocIxPzvPS/f4Jv/oOt74teMScY1LpxS++D55u0aZ5lba0
	13/g8swSwXWcdlvKos77Juhkfd7onZjPy9fU7LxZCBTAp9o8xPzgCH0V9OHTgqUD6sl2
	MsQ/FddMsWoQ5K+in1bs41vyiVXUXjF0wunzl6biYVYChitFVXVlf/pt2Fc4h/tQUs5N
	jbqwjkS+tWxR1Hsr+BE/BXAMQHwDy+1eFVvPfMw1gczQ5cdTkY9QaC6Vd9fjSgivv9XP
	eockeay03gnLbgadFxUKvCm4fw5HH9yFnsxHxfXcAXqOQ/VGjWTJu3437fbhOfjOGhQD
	w3bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=OSTvtiyzcBtnI0tFkhO7it9Sb5KkXLwA/kgEAhYsT9Y=;
	b=DiUj/GtgJYqb9IIIiHzpgW19glhMlOcRv5vWqu+c3yNuAtbPFWc1Aky5uKU0D2f+HS
	xoZnVfALJEszVGIxPU/Qe19W5jOY3XJB0G/X81J4pkK7+rO7eGPB6q6tZu3DPi/vpaNQ
	vrypuMPio41CyXzdxrcxQAC2OiRihfMqO02ZOmaelXygiGhOu30i4ICTGitPjccYPhQ5
	Og5uqXF2uCU+1HZNNvis/OMzOO6CCEafu8WQTqPrpCjNWFqc5d0lMf19jQwEAPrJJJEx
	7PEtPJNSARiUIdDP1/MIrhrzf6CBIO9NtXbcBf2lH4XADlCE3wCJfXBNy2hDV/+chjQy
	B77A==
X-Gm-Message-State: 
 AEkoousiUL2vDm77Tc9viIKRMeCWyX507/pHqcRT8IkVS9/tURqXbTsQyqAI9HtZAWXMXA==
X-Received: by 10.28.113.135 with SMTP id d7mr3723941wmi.43.1470843015781;
	Wed, 10 Aug 2016 08:30:15 -0700 (PDT)
Received: from sonyv (cli-5b7e49a2.wholesale.adamo.es. [91.126.73.162])
	by smtp.gmail.com with ESMTPSA id
	i8sm8915269wmg.21.2016.08.10.08.30.14
	for <netfilter-devel@vger.kernel.org>
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Wed, 10 Aug 2016 08:30:15 -0700 (PDT)
Date: Wed, 10 Aug 2016 17:30:13 +0200
From: Laura Garcia Liebana <nevola@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise
	attribute
Message-ID: 
 <c01cc15bf84922f25dc18fe8c494d32d9048d524.1470842571.git.nevola@gmail.com>
References: <cover.1470842571.git.nevola@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1470842571.git.nevola@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Fix the direct assignment from u32 data input into the len attribute
with a size of u8.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 net/netfilter/nft_bitwise.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d71cc18..2c49f69 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -53,6 +53,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
 	struct nft_bitwise *priv = nft_expr_priv(expr);
 	struct nft_data_desc d1, d2;
 	int err;
+	u32 len;
 
 	if (tb[NFTA_BITWISE_SREG] == NULL ||
 	    tb[NFTA_BITWISE_DREG] == NULL ||
@@ -61,7 +62,11 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
 	    tb[NFTA_BITWISE_XOR] == NULL)
 		return -EINVAL;
 
-	priv->len  = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+	len  = ntohl(nla_get_be32(tb[NFTA_BITWISE_LEN]));
+	if (len > U8_MAX)
+		return -EINVAL;
+	priv->len = len;
+
 	priv->sreg = nft_parse_register(tb[NFTA_BITWISE_SREG]);
 	err = nft_validate_register_load(priv->sreg, priv->len);
 	if (err < 0)