Commit
eda3fc50daa93b08774a18d51883c5a5d8d85e15
Exists in
smarc_imx_lf-5.15.y
and in
27 other branches
8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, pitx_8mp_lf-5.10.y, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-n7.1.2_2.0.0-ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
required to trigger the bug.
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing
1 changed file
with
2 additions
and
0 deletions
Side-by-side Diff
... |
... |
@@ -96,6 +96,8 @@ |
96
|
96 |
return -EINVAL; |
97
|
97 |
if (flags & NFACCT_F_OVERQUOTA) |
98
|
98 |
return -EINVAL; |
|
99 |
+ if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA]) |
|
100 |
+ return -EINVAL; |
99
|
101 |
|
100
|
102 |
size += sizeof(u64); |
101
|
103 |
} |