Eric Dumazet <[email protected]> wrote: > >Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") > >Reported-by: <[email protected]> > >Signed-off-by: Florian Westphal <[email protected]> > >--- > > net/bridge/netfilter/ebt_among.c | 35 +++++++++++++++++++++++++++++++++++ > > 1 file changed, 35 insertions(+) > > > >diff --git a/net/bridge/netfilter/ebt_among.c > >b/net/bridge/netfilter/ebt_among.c > >index c5afb4232ecb..600ac7f6671a 100644 > >--- a/net/bridge/netfilter/ebt_among.c > >+++ b/net/bridge/netfilter/ebt_among.c > >@@ -177,6 +177,29 @@ static bool poolsize_invalid(const struct > >ebt_mac_wormhash *w) > > return w && w->poolsize >= (INT_MAX / sizeof(struct > > ebt_mac_wormhash_tuple)); > > } > >+static bool wormhash_offset_invalid(int off, unsigned int len) > >+{ > >+ int minsize = sizeof(struct ebt_among_info); > >+ > >+ if (off == 0) /* not present */ > >+ return false; > >+ > >+ if (off < minsize || off % __alignof__(struct ebt_mac_wormhash)) > >+ return true; > >+ > >+ off += sizeof(struct ebt_mac_wormhash); > > Can this overflow ?
Yes, off can wrap. > >+ return off > len; len is unsigned though so the unsigned promotion would still catch this. If you think this is too fragile let me know and I can submit a v4 with a more explicit test (e.g. adding back "unsigned int alleged_off = off", and testing vs. INT_MAX. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
