[NETFILTER] ctnetlink: More thorough size checking of attributes

Add missing size checks. Thanks Patrick McHardy for the hint. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2005-11-14 15:22:11 -0800
committer: David S. Miller <davem@davemloft.net> 2005-11-14 15:22:11 -0800
commit: 56558208521729fa6b2a0f12df22e1569dee297a (patch)
tree: 0edad3244ac80e9cf00707ac4940e8c3a758cf75 /net/ipv4/netfilter/ip_conntrack_proto_tcp.c
parent: c0400c4f5a08cfd1c657f7f616fcf1dfbd76a4d7 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 5b3f5220f28..ee3b7d6c4d2 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -357,6 +357,10 @@ nfattr_failure:
 	return -1;
 }
 
+static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX] = {
+	[CTA_PROTOINFO_TCP_STATE-1]	= sizeof(u_int8_t),
+};
+
 static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
 {
 	struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
@@ -369,6 +373,9 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
 
         nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr);
 
+	if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp))
+		return -EINVAL;
+
 	if (!tb[CTA_PROTOINFO_TCP_STATE-1])
 		return -EINVAL;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2005-11-14 15:22:11 -0800
committer	David S. Miller <davem@davemloft.net>	2005-11-14 15:22:11 -0800
commit	56558208521729fa6b2a0f12df22e1569dee297a (patch)
tree	0edad3244ac80e9cf00707ac4940e8c3a758cf75 /net/ipv4/netfilter/ip_conntrack_proto_tcp.c
parent	c0400c4f5a08cfd1c657f7f616fcf1dfbd76a4d7 (diff)