netfilter: nf_tables: underflow in nft_parse_u32_check()

Message ID	20161012060811.GE12841@mwanda
State	Awaiting Upstream, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Wed, 12 Oct 2016 09:08:11 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Pablo Neira Ayuso <pablo@netfilter.org>, Laura Garcia Liebana <nevola@gmail.com> Cc: Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, "David S. Miller" <davem@davemloft.net>, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] netfilter: nf_tables: underflow in nft_parse_u32_check() Message-ID: <20161012060811.GE12841@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20161012060811.GE12841@mwanda

State

Awaiting Upstream, archived

Delegated to:

David Miller

Headers

Date: Wed, 12 Oct 2016 09:08:11 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	Laura Garcia Liebana <nevola@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	"David S. Miller" <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] netfilter: nf_tables: underflow in nft_parse_u32_check()
Message-ID: <20161012060811.GE12841@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Comments

Liping Zhang Oct. 12, 2016, 7:27 a.m. UTC | #1

2016-10-12 14:08 GMT+08:00 Dan Carpenter <dan.carpenter@oracle.com>:
> We don't want to allow negatives here.
>
> Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index b70d3ea..dd55187 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -4423,7 +4423,7 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
>   */

I think it's better if you can convert it to follows:

>  unsigned int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)

int nft_parse_u32_check(const struct nlattr *attr, u32 max, u32 *dest)

>  {
> -       int val;
> +       uint val;

            u32 val;

>
>         val = ntohl(nla_get_be32(attr));
>         if (val > max)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b70d3ea..dd55187 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4423,7 +4423,7 @@  static int nf_tables_check_loops(const struct nft_ctx *ctx,
  */
 unsigned int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
 {
-	int val;
+	uint val;
 
 	val = ntohl(nla_get_be32(attr));
 	if (val > max)

netfilter: nf_tables: underflow in nft_parse_u32_check()

Commit Message

Comments

Patch