netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters

nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer dereference. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer dereference. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Turnbull · Pablo Neira Ayuso
1 parent 472681d57a
Showing 1 changed file with 3 additions and 0 deletions Side-by-side Diff
net/netfilter/nfnetlink_acct.c
@@ -242,6 +242,9 @@
 	if (err < 0)
 		return ERR_PTR(err);
  
+	if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+		return ERR_PTR(-EINVAL);
+
 	filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
 	if (!filter)
 		return ERR_PTR(-ENOMEM);
...	...	@@ -242,6 +242,9 @@
242	242	if (err < 0)
243	243	return ERR_PTR(err);
244	244
	245	+ if (!tb[NFACCT_FILTER_MASK] \|\| !tb[NFACCT_FILTER_VALUE])
	246	+ return ERR_PTR(-EINVAL);
	247	+
245	248	filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
246	249	if (!filter)
247	250	return ERR_PTR(-ENOMEM);