Commit 235ee330 authored by Phil Turnbull's avatar Phil Turnbull Committed by Stefan Bader

netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

BugLink: https://bugs.launchpad.net/bugs/1840335

[ Upstream commit eda3fc50 ]

If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
required to trigger the bug.
Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 2d4cdd66
...@@ -97,6 +97,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb, ...@@ -97,6 +97,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
return -EINVAL; return -EINVAL;
if (flags & NFACCT_F_OVERQUOTA) if (flags & NFACCT_F_OVERQUOTA)
return -EINVAL; return -EINVAL;
if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
return -EINVAL;
size += sizeof(u64); size += sizeof(u64);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment