releases/4.4.177/netfilter-nfnetlink_acct-validate-nfacct_filter-parameters.patch

   1 From 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 Mon Sep 17 00:00:00 2001
   2 From: Phil Turnbull <phil.turnbull@oracle.com>
   3 Date: Wed, 24 Feb 2016 15:34:43 -0500
   4 Subject: netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
   5
   6 From: Phil Turnbull <phil.turnbull@oracle.com>
   7
   8 commit 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 upstream.
   9
  10 nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and
  11 NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer
  12 dereference. CAP_NET_ADMIN is required to trigger the bug.
  13
  14 Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
  15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  16 Cc: Zubin Mithra <zsm@chromium.org>
  17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18
  19 ---
  20  net/netfilter/nfnetlink_acct.c |    3 +++
  21  1 file changed, 3 insertions(+)
  22
  23 --- a/net/netfilter/nfnetlink_acct.c
  24 +++ b/net/netfilter/nfnetlink_acct.c
  25 @@ -243,6 +243,9 @@ nfacct_filter_alloc(const struct nlattr
  26         if (err < 0)
  27                 return ERR_PTR(err);
  28
  29 +       if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
  30 +               return ERR_PTR(-EINVAL);
  31 +
  32         filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
  33         if (!filter)
  34                 return ERR_PTR(-ENOMEM);