netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
authorPhil Turnbull <phil.turnbull@oracle.com>
Wed, 24 Feb 2016 20:34:43 +0000 (15:34 -0500)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 29 Feb 2016 12:27:21 +0000 (13:27 +0100)
nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and
NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer
dereference. CAP_NET_ADMIN is required to trigger the bug.

Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nfnetlink_acct.c

index 5274b04c42a6cccfe10ce25026b5f45a1cf48510..4c2b4c0c4d5fa4ac209ab85020e97e14ed716ab9 100644 (file)
@@ -242,6 +242,9 @@ nfacct_filter_alloc(const struct nlattr * const attr)
        if (err < 0)
                return ERR_PTR(err);
 
+       if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+               return ERR_PTR(-EINVAL);
+
        filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
        if (!filter)
                return ERR_PTR(-ENOMEM);