netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters

commit 017b1b6d28c479f1ad9a7a41f775545a3e1cba35 upstream. nfacct_filter_alloc doesn't validate the NFACCT_FILTER_MASK and NFACCT_FILTER_VALUE parameters which can trigger a NULL pointer dereference. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Zubin Mithra <zsm@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Phil Turnbull <phil.turnbull@oracle.com> 2016-02-24 15:34:43 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-03-23 08:44:29 +0100
commit: a55ea87f70ae91cdce8c8fcb0e2a8821b23df15e (patch)
tree: 814e4faa5422e21c71fc8cf843a8e56c1b378c39 /net/netfilter/nfnetlink_acct.c
parent: c92b434e70dbc12620c0879194143bd9866a7a3b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index fefbf5f0b28d..088e8da06b00 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -243,6 +243,9 @@ nfacct_filter_alloc(const struct nlattr * const attr)
 	if (err < 0)
 		return ERR_PTR(err);
 
+	if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+		return ERR_PTR(-EINVAL);
+
 	filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
 	if (!filter)
 		return ERR_PTR(-ENOMEM);
author	Phil Turnbull <phil.turnbull@oracle.com>	2016-02-24 15:34:43 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-03-23 08:44:29 +0100
commit	a55ea87f70ae91cdce8c8fcb0e2a8821b23df15e (patch)
tree	814e4faa5422e21c71fc8cf843a8e56c1b378c39 /net/netfilter/nfnetlink_acct.c
parent	c92b434e70dbc12620c0879194143bd9866a7a3b (diff)