netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX

author Pablo Neira Ayuso <pablo@netfilter.org>

Tue, 22 Apr 2025 19:52:44 +0000 (21:52 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Mon, 5 May 2025 11:17:32 +0000 (13:17 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Tue, 22 Apr 2025 19:52:44 +0000 (21:52 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Mon, 5 May 2025 11:17:32 +0000 (13:17 +0200)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c

index 0529e4ef752070ece6877c75b9c3059fa6cb4ff1..c5855069bdaba08a0d39cfed59b79c45961bc114 100644 (file)
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -663,6 +663,9 @@ static int pipapo_realloc_mt(struct nft_pipapo_field *f,
             check_add_overflow(rules, extra, &rules_alloc))
                 return -EOVERFLOW;
  
+       if (rules_alloc > (INT_MAX / sizeof(*new_mt)))
+               return -ENOMEM;
+
         new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL_ACCOUNT);
         if (!new_mt)
                 return -ENOMEM;
@@ -1499,6 +1502,9 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
                        src->groups * NFT_PIPAPO_BUCKETS(src->bb));
  
                 if (src->rules > 0) {
+                       if (src->rules_alloc > (INT_MAX / sizeof(*src->mt)))
+                               goto out_mt;
+
                         dst->mt = kvmalloc_array(src->rules_alloc,
                                                  sizeof(*src->mt),
                                                  GFP_KERNEL_ACCOUNT);
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 22 Apr 2025 19:52:44 +0000 (21:52 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 5 May 2025 11:17:32 +0000 (13:17 +0200)