diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2012-05-14 01:47:01 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-05-16 15:38:49 -0400 |
commit | 26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c (patch) | |
tree | 046834414e20d334fc5172275a53c55d9722a714 /net/netfilter/ipset/ip_set_hash_ipport.c | |
parent | 769b0daf6e18a05a6d4da94baab7edd12867350c (diff) | |
download | op-kernel-dev-26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c.zip op-kernel-dev-26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c.tar.gz |
netfilter: ipset: fix hash size checking in kernel
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/ipset/ip_set_hash_ipport.c')
-rw-r--r-- | net/netfilter/ipset/ip_set_hash_ipport.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c index 9c27e24..e8dbb49 100644 --- a/net/netfilter/ipset/ip_set_hash_ipport.c +++ b/net/netfilter/ipset/ip_set_hash_ipport.c @@ -449,6 +449,7 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags) struct ip_set_hash *h; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; u8 hbits; + size_t hsize; if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) return -IPSET_ERR_INVALID_FAMILY; @@ -476,9 +477,12 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags) h->timeout = IPSET_NO_TIMEOUT; hbits = htable_bits(hashsize); - h->table = ip_set_alloc( - sizeof(struct htable) - + jhash_size(hbits) * sizeof(struct hbucket)); + hsize = htable_size(hbits); + if (hsize == 0) { + kfree(h); + return -ENOMEM; + } + h->table = ip_set_alloc(hsize); if (!h->table) { kfree(h); return -ENOMEM; |