diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-21 11:47:04 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-24 07:43:20 +0200 |
| commit | 94254f990c07e9ddf1634e0b727fab821c3b5bf9 (patch) | |
| tree | 9b79807bd798c03ad5903c7a34c7773582e0e430 | |
| parent | ab482c6b66a4a8c0a8c0b0f577a785cf9ff1c2e2 (diff) | |
| download | linux-stable-94254f990c07e9ddf1634e0b727fab821c3b5bf9.tar.gz linux-stable-94254f990c07e9ddf1634e0b727fab821c3b5bf9.tar.bz2 linux-stable-94254f990c07e9ddf1634e0b727fab821c3b5bf9.zip | |
netfilter: nft_payload: report ERANGE for too long offset and length
Instead of offset and length are truncation to u8, report ERANGE.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/nft_payload.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index 2e7ac007cb30..4fee67abfe2c 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -833,6 +833,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, { enum nft_payload_bases base; unsigned int offset, len; + int err; if (tb[NFTA_PAYLOAD_BASE] == NULL || tb[NFTA_PAYLOAD_OFFSET] == NULL || @@ -859,8 +860,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, if (tb[NFTA_PAYLOAD_DREG] == NULL) return ERR_PTR(-EINVAL); - offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); - len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); + err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); + if (err < 0) + return ERR_PTR(err); + + err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); + if (err < 0) + return ERR_PTR(err); if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER) |