1 From 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 Mon Sep 17 00:00:00 2001
2 From: Phil Turnbull <phil.turnbull@oracle.com>
3 Date: Wed, 24 Feb 2016 15:34:43 -0500
4 Subject: netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
6 From: Phil Turnbull <phil.turnbull@oracle.com>
8 commit 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 upstream.
10 nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and
11 NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer
12 dereference. CAP_NET_ADMIN is required to trigger the bug.
14 Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
16 Cc: Zubin Mithra <zsm@chromium.org>
17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
20 net/netfilter/nfnetlink_acct.c | 3 +++
21 1 file changed, 3 insertions(+)
23 --- a/net/netfilter/nfnetlink_acct.c
24 +++ b/net/netfilter/nfnetlink_acct.c
25 @@ -243,6 +243,9 @@ nfacct_filter_alloc(const struct nlattr
29 + if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
30 + return ERR_PTR(-EINVAL);
32 filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
34 return ERR_PTR(-ENOMEM);