From patchwork Wed Aug 10 15:31:00 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: nevola <nevola@gmail.com>
X-Patchwork-Id: 657876
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3s8hBm5WFZz9tKH
	for <incoming@patchwork.ozlabs.org>;
	Thu, 11 Aug 2016 05:33:04 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=n+MDdx6X;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935355AbcHJTcy (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 10 Aug 2016 15:32:54 -0400
Received: from mail-wm0-f66.google.com ([74.125.82.66]:36690 "EHLO
	mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S934117AbcHJTcw (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 10 Aug 2016 15:32:52 -0400
Received: by mail-wm0-f66.google.com with SMTP id i138so11490359wmf.3
	for <netfilter-devel@vger.kernel.org>;
	Wed, 10 Aug 2016 12:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=date:from:to:subject:message-id:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=8dwqph3y39mrCB4k4U3WFiyDgBPhCu/qnd8RqNodWv0=;
	b=n+MDdx6XWiz3olW1D6oANgKWaqmr296+WIyjmyePgRhvK4V0JmGB/4nOGkbfKmC+ID
	G9MrnZdbi1Tb+zvVd0IoYaNdtbzM3HP6QJEZZow465uKK3OzeveuplS5si68XFrNeSHt
	xqR+hTMrGgprvRRLDlwQTMkEJm6PD4nIh8dbJI2l7XVrDQVg035mtabrtWJLazBp3FZq
	A+u7FhAnNPqT5JFmSCJ9s8QU8xaOM3doZika041H4NqQBVPwFDK8HAgAK5LevpCltNoJ
	HJ40WM8vTr3fGdxRx51iq8AxVbGv8n152zHcVziKIUWJZOU9rd1rW2tQsV7yiPdICSnm
	QSaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=8dwqph3y39mrCB4k4U3WFiyDgBPhCu/qnd8RqNodWv0=;
	b=ElQ11Jrh2Z1wG1uojWXX4wAuS9bQhzZ5bkN9Iq6KgUQsW3S0C/1pZVSYYfGceecE2v
	auh06ggmJ4nZ7bWwJKLPz/FpLIGA7pj0I8u256SMsWPWx9qIQOZMRASE729Gx8j55KjJ
	pnVeqRh8O5eFENRJHYCP+he/PtZW1JBO/8X4p3R9Ff0Mr4Vec/vGXQRvyGaPLtfmIjox
	kfHO48wynRr+/PN5PZraisJ00gQfOFQSsRnadsUO7R7xqxxF2/Bx/VuvzMtPius5VCWe
	HvopfUxYxb/dsGNSxVHuKcCYRW9nuGsOwi8IexJfVfKl5FvAN7ztaI2U0wNS/X6y2qjC
	l2Kw==
X-Gm-Message-State: 
 AEkooutXg8CmcXIAKdxkEI3WLMapBdnnfdR6+kUKcpzwNPD3ETXP6kliHvPbw8LvtkUqPQ==
X-Received: by 10.28.0.70 with SMTP id 67mr4213952wma.88.1470843063171;
	Wed, 10 Aug 2016 08:31:03 -0700 (PDT)
Received: from sonyv ([91.126.73.162]) by smtp.gmail.com with ESMTPSA id
	bw9sm43613764wjc.33.2016.08.10.08.31.02
	for <netfilter-devel@vger.kernel.org>
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Wed, 10 Aug 2016 08:31:03 -0700 (PDT)
Date: Wed, 10 Aug 2016 17:31:00 +0200
From: Laura Garcia Liebana <nevola@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH 2/5] netfilter: nf_tables: Check u32 load in u8 nft_byteorder
	attribute
Message-ID: 
 <0b8cf8c8d981de2ee30440a24a011ab88a16c67b.1470842571.git.nevola@gmail.com>
References: <cover.1470842571.git.nevola@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1470842571.git.nevola@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Fix the direct assignment from u32 data input into the len and size
attributes with a size of u8.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 net/netfilter/nft_byteorder.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index b78c28b..fdd23d5 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -100,6 +100,7 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
 {
 	struct nft_byteorder *priv = nft_expr_priv(expr);
 	int err;
+	u32 len, size;
 
 	if (tb[NFTA_BYTEORDER_SREG] == NULL ||
 	    tb[NFTA_BYTEORDER_DREG] == NULL ||
@@ -117,7 +118,10 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
 		return -EINVAL;
 	}
 
-	priv->size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+	size = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_SIZE]));
+	if (size > U8_MAX)
+		return -EINVAL;
+	priv->size = size;
 	switch (priv->size) {
 	case 2:
 	case 4:
@@ -128,7 +132,12 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
 	}
 
 	priv->sreg = nft_parse_register(tb[NFTA_BYTEORDER_SREG]);
-	priv->len  = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+
+	len  = ntohl(nla_get_be32(tb[NFTA_BYTEORDER_LEN]));
+	if (len > U8_MAX)
+		return -EINVAL;
+	priv->len = len;
+
 	err = nft_validate_register_load(priv->sreg, priv->len);
 	if (err < 0)
 		return err;