From patchwork Mon Nov 14 21:33:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: nevola X-Patchwork-Id: 694734 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tHkKc6R84z9t0v for ; Tue, 15 Nov 2016 08:33:40 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="uYSR+KoD"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938773AbcKNVdj (ORCPT ); Mon, 14 Nov 2016 16:33:39 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:33182 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933258AbcKNVdj (ORCPT ); Mon, 14 Nov 2016 16:33:39 -0500 Received: by mail-wm0-f68.google.com with SMTP id u144so19256724wmu.0 for ; Mon, 14 Nov 2016 13:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=MFPUM4z4/b1LnC7gQ+aHbPMWdbPeHONM6Eu6R34DiFI=; b=uYSR+KoDMCd8mmefOMGfNd7l8pUgIk+5BCJqr3y3foKrSdOkWO6MYFRUTAfcyoi8pC KudCG6/QUbII/D9dmVQsixYNNE+EpkuWgx4AYvd/2l69yAL1vT6IycSqQ2xhvPEX+8aC GZlOX83qjTky7OJR6qDYVKOeLziNg+dqo0qohm7RALCfAPPfbLlo/dJuOFMrnPvHFT67 skrqy0LrE7CEEjj6Dy1GrdjYRFkEQv67JS/DCXChvPcPav0a2dm0QNffRpUQHTqoE5Ag Z2btovYeN0UztIAu/xb6hDcN0eIMLY4aYNzrLqfBhsGLjEDWg/1oxDDvOKq4xFfmSbFT DLdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=MFPUM4z4/b1LnC7gQ+aHbPMWdbPeHONM6Eu6R34DiFI=; b=C3DObvcIC6DUggMLXr85672xOcOK3yi8qIKXZSHMVADJjvW8++aiibWb9ID8al5A24 DKpHicAQH5hFYEaUAPEVdafvBG+uAVyfkv+FZZo6PXU5FUkE09XAlEzOaxc45p05fYDP Hw2vLMvz9ReLo87emKOsw2hY+FUvj25Uku6+rDYBMuJ9cLgQ2q1WwdmfLW6bh8te/0hF PNoGgHYtVtXEtIro4A94IMFHXhYeo9VQ8RntKhPIZPwLGP37j22oVguR1wtmYThIlVcR mBRiar5+WZurAxatkjRYvE5UcLGLyOipBJMF0MgbghfUTzbHL9HC2aEEGUMGseBOZ2NS bAmA== X-Gm-Message-State: ABUngvfihXPxPpAv4HG1Q1EtPBYC8wg49xk55w3WsCoQ38blkesIOW80aKmAH3rNO81VBg== X-Received: by 10.194.2.79 with SMTP id 15mr18348987wjs.225.1479159217167; Mon, 14 Nov 2016 13:33:37 -0800 (PST) Received: from sonyv (72.red-88-15-56.dynamicip.rima-tde.net. [88.15.56.72]) by smtp.gmail.com with ESMTPSA id b15sm495214wma.5.2016.11.14.13.33.36 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 14 Nov 2016 13:33:36 -0800 (PST) Date: Mon, 14 Nov 2016 22:33:34 +0100 From: Laura Garcia Liebana To: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next] netfilter: nf_tables: validate maximum value of u32 netlink hash attribute Message-ID: <20161114213331.GA13743@sonyv> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Use the function nft_parse_u32_check() to fetch the value and validate the u32 attribute into the hash len u8 field. This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes"). Signed-off-by: Laura Garcia Liebana --- net/netfilter/nft_hash.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index 97ad8e30e4b4..eb2721af898d 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c @@ -53,6 +53,7 @@ static int nft_hash_init(const struct nft_ctx *ctx, { struct nft_hash *priv = nft_expr_priv(expr); u32 len; + int err; if (!tb[NFTA_HASH_SREG] || !tb[NFTA_HASH_DREG] || @@ -66,8 +67,10 @@ static int nft_hash_init(const struct nft_ctx *ctx, priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]); priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]); - len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN])); - if (len == 0 || len > U8_MAX) + err = nft_parse_u32_check(tb[NFTA_HASH_LEN], U8_MAX, &len); + if (err < 0) + return err; + if (len == 0) return -ERANGE; priv->len = len;