diff options
author | David S. Miller <davem@davemloft.net> | 2020-07-28 13:43:40 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-07-28 13:43:40 -0700 |
commit | 0003041e7a0bf24594e5d66fe217bbbefdac44ab (patch) | |
tree | 050f16554295c22db098bb4e81021e21d2718c5f /net/netfilter/x_tables.c | |
parent | Merge branch 'mlxsw-Add-support-for-QSFP-DD-transceiver-type' (diff) | |
parent | net: improve the user pointer check in init_user_sockptr (diff) | |
download | wireguard-linux-0003041e7a0bf24594e5d66fe217bbbefdac44ab.tar.xz wireguard-linux-0003041e7a0bf24594e5d66fe217bbbefdac44ab.zip |
Merge branch 'sockptr_t-fixes-v2'
Christoph Hellwig says:
====================
sockptr_t fixes v2
a bunch of fixes for the sockptr_t conversion
Changes since v1:
- fix a user pointer dereference braino in bpfilter
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/x_tables.c')
-rw-r--r-- | net/netfilter/x_tables.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index b97eb4b538fd..91bf6635ea9e 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1050,6 +1050,7 @@ EXPORT_SYMBOL_GPL(xt_check_target); void *xt_copy_counters(sockptr_t arg, unsigned int len, struct xt_counters_info *info) { + size_t offset; void *mem; u64 size; @@ -1067,7 +1068,7 @@ void *xt_copy_counters(sockptr_t arg, unsigned int len, memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); info->num_counters = compat_tmp.num_counters; - sockptr_advance(arg, sizeof(compat_tmp)); + offset = sizeof(compat_tmp); } else #endif { @@ -1078,7 +1079,7 @@ void *xt_copy_counters(sockptr_t arg, unsigned int len, if (copy_from_sockptr(info, arg, sizeof(*info)) != 0) return ERR_PTR(-EFAULT); - sockptr_advance(arg, sizeof(*info)); + offset = sizeof(*info); } info->name[sizeof(info->name) - 1] = '\0'; @@ -1092,7 +1093,7 @@ void *xt_copy_counters(sockptr_t arg, unsigned int len, if (!mem) return ERR_PTR(-ENOMEM); - if (copy_from_sockptr(mem, arg, len) == 0) + if (copy_from_sockptr_offset(mem, arg, offset, len) == 0) return mem; vfree(mem); |