[3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute
diff mbox

Message ID 1b5a19c8e8439e5e7b078f4572af69f6c180078f.1470842571.git.nevola@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Laura Garcia Liebana Aug. 10, 2016, 3:31 p.m. UTC
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 net/netfilter/nft_cmp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Patch
diff mbox

diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index e25b35d..ca247e5 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -84,8 +84,11 @@  static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 	if (err < 0)
 		return err;
 
-	priv->op  = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+	if (desc.len > U8_MAX)
+		return -EINVAL;
 	priv->len = desc.len;
+	priv->op  = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
+
 	return 0;
 }