netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters

nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer dereference. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Turnbull <phil.turnbull@oracle.com> 2016-02-24 15:34:43 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-02-29 13:27:21 +0100
commit: 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 (patch)
tree: 595556370e0d68c347acfa0b8560e16623d57de8 /net/netfilter
parent: net: ndo_fdb_dump should report -EMSGSIZE to rtnl_fdb_dump. (diff)
download: linux-dev-017b1b6d28c479f1ad9a7a41f775545a3e1cba35.tar.xz
linux-dev-017b1b6d28c479f1ad9a7a41f775545a3e1cba35.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 5274b04c42a6..4c2b4c0c4d5f 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -242,6 +242,9 @@ nfacct_filter_alloc(const struct nlattr * const attr)
 	if (err < 0)
 		return ERR_PTR(err);
 
+	if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+		return ERR_PTR(-EINVAL);
+
 	filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
 	if (!filter)
 		return ERR_PTR(-ENOMEM);
author	Phil Turnbull <phil.turnbull@oracle.com>	2016-02-24 15:34:43 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-02-29 13:27:21 +0100
commit	017b1b6d28c479f1ad9a7a41f775545a3e1cba35 (patch)
tree	595556370e0d68c347acfa0b8560e16623d57de8 /net/netfilter
parent	net: ndo_fdb_dump should report -EMSGSIZE to rtnl_fdb_dump. (diff)
download	linux-dev-017b1b6d28c479f1ad9a7a41f775545a3e1cba35.tar.xz linux-dev-017b1b6d28c479f1ad9a7a41f775545a3e1cba35.zip