> I can see that the size might cause an overflow in the addition with
> sizeof(struct ipt_get_entries)
That's the integer overflow i pointed.
get.size is copy from the user space, it can be set as 0x7fffffff,
addition with sizeof(struct ipt_get_entries) can be overflow.
if (*len != sizeof(struct ipt_get_entries) + get.size) {
duprintf("get_entries: %u != %zu\n",
*len, sizeof(get) + get.size);
return -EINVAL;
}
so, check get.size max value before addition with sizeof(struct
ipt_get_entries) to prevent the integer overflow.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
