| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jul 2016 21:11:28 +0300
From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To: Pablo Neira Ayuso <pablo@...filter.org>,
netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH 03/26] netfilter: x_tables: fix possible ZERO_SIZE_PTR
pointer dereferencing error.
Hello.
On 07/06/2016 05:23 PM, Pablo Neira Ayuso wrote:
> From: Xiubo Li <lixiubo@...s.chinamobile.com>
>
> Since we cannot make sure that the 'hook_mask' will always be none
> zero here.
Non-zero, you mean?
> If it equals to zero, the num_hooks will be zero too,
> and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
>
> Then the following error check will fails:
> ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
> if (ops == NULL)
> return ERR_PTR(-ENOMEM);
>
> So this patch will fix this with just doing the zero check before
> kmalloc() is called.
>
> Maybe the case above will never happen here, but in theory.
>
> Signed-off-by: Xiubo Li <lixiubo@...s.chinamobile.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> ---
> net/netfilter/x_tables.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index c69c892..8aff34e 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -1460,6 +1460,9 @@ xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
> uint8_t hooknum;
> struct nf_hook_ops *ops;
>
> + if (!num_hooks)
> + return ERR_PTR(-EINVAL);
> +
> ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
BTW, asking to be kcalloc() instead?
[...]
MBR, Sergei
Powered by blists - more mailing lists