summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXiubo Li <lixiubo@cmss.chinamobile.com>2016-06-02 02:59:56 (GMT)
committerPablo Neira Ayuso <pablo@netfilter.org>2016-06-23 10:13:06 (GMT)
commita6d0bae14858a43ab9d76d6332d7c3f2a618a6a2 (patch)
tree934019b39ad601725e3c8ae1e75e1f334fa6865c
parent436a850dd9cac09bf88e12e20cc79408b1d29788 (diff)
downloadlinux-a6d0bae14858a43ab9d76d6332d7c3f2a618a6a2.tar.xz
netfilter: x_tables: fix possible ZERO_SIZE_PTR pointer dereferencing error.
Since we cannot make sure that the 'hook_mask' will always be none zero here. If it equals to zero, the num_hooks will be zero too, and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16. Then the following error check will fails: ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); if (ops == NULL) return ERR_PTR(-ENOMEM); So this patch will fix this with just doing the zero check before kmalloc() is called. Maybe the case above will never happen here, but in theory. Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--net/netfilter/x_tables.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c69c892..8aff34e 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1460,6 +1460,9 @@ xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
uint8_t hooknum;
struct nf_hook_ops *ops;
+ if (!num_hooks)
+ return ERR_PTR(-EINVAL);
+
ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
if (ops == NULL)
return ERR_PTR(-ENOMEM);