aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2025-04-22 21:52:44 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2025-05-05 13:17:32 +0200
commitb85e3367a5716ed3662a4fe266525190d2af76df (patch)
tree20e2a7d10eb64ea8f94746508cd959de9ac43a3c
parentnetfilter: nft_set_pipapo: prevent overflow in lookup table allocation (diff)
downloadwireguard-linux-b85e3367a5716ed3662a4fe266525190d2af76df.tar.xz
wireguard-linux-b85e3367a5716ed3662a4fe266525190d2af76df.zip
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--net/netfilter/nft_set_pipapo.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 0529e4ef7520..c5855069bdab 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -663,6 +663,9 @@ static int pipapo_realloc_mt(struct nft_pipapo_field *f,
check_add_overflow(rules, extra, &rules_alloc))
return -EOVERFLOW;
+ if (rules_alloc > (INT_MAX / sizeof(*new_mt)))
+ return -ENOMEM;
+
new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL_ACCOUNT);
if (!new_mt)
return -ENOMEM;
@@ -1499,6 +1502,9 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
src->groups * NFT_PIPAPO_BUCKETS(src->bb));
if (src->rules > 0) {
+ if (src->rules_alloc > (INT_MAX / sizeof(*src->mt)))
+ goto out_mt;
+
dst->mt = kvmalloc_array(src->rules_alloc,
sizeof(*src->mt),
GFP_KERNEL_ACCOUNT);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.