netfilter: x_tables: make sure e->next_offset covers remaining blob size

[pandora-kernel.git] / net / ipv6 / netfilter / ip6_tables.c

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 94874b0..8d46643 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -583,14 +583,12 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
 }
 
 static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e)
 {
        const struct xt_entry_target *t;
 
-       if (!ip6_checkentry(&e->ipv6)) {
-               duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+       if (!ip6_checkentry(&e->ipv6))
                return -EINVAL;
-       }
 
        if (e->target_offset + sizeof(struct xt_entry_target) >
            e->next_offset)
@@ -681,10 +679,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
        struct xt_mtchk_param mtpar;
        struct xt_entry_match *ematch;
 
-       ret = check_entry(e, name);
-       if (ret)
-               return ret;
-
        j = 0;
        mtpar.net       = net;
        mtpar.table     = name;
@@ -748,9 +742,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                           unsigned int valid_hooks)
 {
        unsigned int h;
+       int err;
 
        if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
-           (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+           (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
+           (unsigned char *)e + e->next_offset > limit) {
                duprintf("Bad offset %p\n", e);
                return -EINVAL;
        }
@@ -762,6 +758,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                return -EINVAL;
        }
 
+       err = check_entry(e);
+       if (err)
+               return err;
+
        /* Check hooks & underflows */
        for (h = 0; h < NF_INET_NUMHOOKS; h++) {
                if (!(valid_hooks & (1 << h)))
@@ -1249,8 +1249,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 
        xt_free_table_info(oldinfo);
        if (copy_to_user(counters_ptr, counters,
-                        sizeof(struct xt_counters) * num_counters) != 0)
-               ret = -EFAULT;
+                        sizeof(struct xt_counters) * num_counters) != 0) {
+               /* Silent error, can't fail, new table is already in place */
+               net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
+       }
        vfree(counters);
        xt_table_unlock(t);
        return ret;
@@ -1508,7 +1510,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
 
        duprintf("check_compat_entry_size_and_hooks %p\n", e);
        if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
-           (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
+           (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
+           (unsigned char *)e + e->next_offset > limit) {
                duprintf("Bad offset %p, limit = %p\n", e, limit);
                return -EINVAL;
        }
@@ -1521,7 +1524,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
        }
 
        /* For purposes of check_entry casting the compat entry is fine */
-       ret = check_entry((struct ip6t_entry *)e, name);
+       ret = check_entry((struct ip6t_entry *)e);
        if (ret)
                return ret;