netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Turnbull <phil.turnbull@oracle.com> 2016-05-03 16:39:19 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-05-05 16:47:08 +0200
commit: eda3fc50daa93b08774a18d51883c5a5d8d85e15 (patch)
tree: e3bc0a4fb353f4b65d4fcc8c0a29205c25e2d2d3 /net/netfilter/nfnetlink_acct.c
parent: netfilter: IDLETIMER: fix race condition when destroy the target (diff)
download: linux-dev-eda3fc50daa93b08774a18d51883c5a5d8d85e15.tar.xz
linux-dev-eda3fc50daa93b08774a18d51883c5a5d8d85e15.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 4c2b4c0c4d5f..dbd0803b1827 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -96,6 +96,8 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl,
 			return -EINVAL;
 		if (flags & NFACCT_F_OVERQUOTA)
 			return -EINVAL;
+		if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
+			return -EINVAL;
 
 		size += sizeof(u64);
 	}
author	Phil Turnbull <phil.turnbull@oracle.com>	2016-05-03 16:39:19 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-05-05 16:47:08 +0200
commit	eda3fc50daa93b08774a18d51883c5a5d8d85e15 (patch)
tree	e3bc0a4fb353f4b65d4fcc8c0a29205c25e2d2d3 /net/netfilter/nfnetlink_acct.c
parent	netfilter: IDLETIMER: fix race condition when destroy the target (diff)
download	linux-dev-eda3fc50daa93b08774a18d51883c5a5d8d85e15.tar.xz linux-dev-eda3fc50daa93b08774a18d51883c5a5d8d85e15.zip