netfilter: ipset: fix hash size checking in kernel

The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-05-14 05:47:01 +0400
committer: David S. Miller <davem@davemloft.net> 2012-05-16 23:38:49 +0400
commit: 26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c (patch)
tree: 046834414e20d334fc5172275a53c55d9722a714 /include
parent: 769b0daf6e18a05a6d4da94baab7edd12867350c (diff)
download: linux-26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c.tar.xz
1 files changed, 16 insertions, 0 deletions
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index 05a5d72680be..230a290e1973 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -99,6 +99,22 @@ struct ip_set_hash {
 #endif
 };
 
+static size_t
+htable_size(u8 hbits)
+{
+	size_t hsize;
+
+	/* We must fit both into u32 in jhash and size_t */
+	if (hbits > 31)
+		return 0;
+	hsize = jhash_size(hbits);
+	if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
+	    < hsize)
+		return 0;
+
+	return hsize * sizeof(struct hbucket) + sizeof(struct htable);
+}
+
 /* Compute htable_bits from the user input parameter hashsize */
 static u8
 htable_bits(u32 hashsize)
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-05-14 05:47:01 +0400
committer	David S. Miller <davem@davemloft.net>	2012-05-16 23:38:49 +0400
commit	26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c (patch)
tree	046834414e20d334fc5172275a53c55d9722a714 /include
parent	769b0daf6e18a05a6d4da94baab7edd12867350c (diff)
download	linux-26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c.tar.xz