diff options
author | Xiubo Li <lixiubo@cmss.chinamobile.com> | 2016-06-02 02:59:56 (GMT) |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-06-23 10:13:06 (GMT) |
commit | a6d0bae14858a43ab9d76d6332d7c3f2a618a6a2 (patch) | |
tree | 934019b39ad601725e3c8ae1e75e1f334fa6865c | |
parent | 436a850dd9cac09bf88e12e20cc79408b1d29788 (diff) | |
download | linux-a6d0bae14858a43ab9d76d6332d7c3f2a618a6a2.tar.xz |
netfilter: x_tables: fix possible ZERO_SIZE_PTR pointer dereferencing error.
Since we cannot make sure that the 'hook_mask' will always be none
zero here. If it equals to zero, the num_hooks will be zero too,
and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
Then the following error check will fails:
ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
if (ops == NULL)
return ERR_PTR(-ENOMEM);
So this patch will fix this with just doing the zero check before
kmalloc() is called.
Maybe the case above will never happen here, but in theory.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/netfilter/x_tables.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c69c892..8aff34e 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1460,6 +1460,9 @@ xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn) uint8_t hooknum; struct nf_hook_ops *ops; + if (!num_hooks) + return ERR_PTR(-EINVAL); + ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); if (ops == NULL) return ERR_PTR(-ENOMEM); |