net: sched: act_ipt: check for underflow in __tcf_ipt_init()

If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>

net: sched: act_ipt: check for underflow in __tcf_ipt_init()
If "td->u.target_size" is larger than sizeof(struct xt_entry_target) we return -EINVAL. But we don't check whether it's smaller than sizeof(struct xt_entry_target) and that could lead to an out of bounds read. Fixes: 7ba699c604ab ("[NET_SCHED]: Convert actions from rtnetlink to new netlink API") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter · David S. Miller
1 parent ee0b6f4834
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/sched/act_ipt.c
@@ -135,7 +135,7 @@
 	}
  
 	td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
-	if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
+	if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) {
 		if (exists)
 			tcf_idr_release(*a, bind);
 		else
...	...	@@ -135,7 +135,7 @@
135	135	}
136	136
137	137	td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
138		- if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
	138	+ if (nla_len(tb[TCA_IPT_TARG]) != td->u.target_size) {
139	139	if (exists)
140	140	tcf_idr_release(*a, bind);
141	141	else