mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-01 06:33:07 +00:00
netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
I believe that "hook->num" can be up to UINT_MAX. Shifting more than
31 bits would is undefined in C but in practice it would lead to shift
wrapping. That would lead to an array overflow in nf_tables_addchain():
ops->hook = hook.type->hooks[ops->hooknum];
Fixes: fe19c04ca1
("netfilter: nf_tables: remove nhooks field from struct nft_af_info")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
3c79107631
commit
33d1c01817
1 changed files with 1 additions and 1 deletions
|
@ -1545,7 +1545,7 @@ static int nft_chain_parse_hook(struct net *net,
|
|||
if (IS_ERR(type))
|
||||
return PTR_ERR(type);
|
||||
}
|
||||
if (!(type->hook_mask & (1 << hook->num)))
|
||||
if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (type->type == NFT_CHAIN_T_NAT &&
|
||||
|
|
Loading…
Reference in a new issue