netfilter: ipset: fixes possible oops in mtype_resize

stable inclusion from stable-5.10.9 commit cc77e4a020aa308265a67ed4cb3188100a1787a0 bugzilla: 47457 -------------------------------- [ Upstream commit 2b33d6ff ] currently mtype_resize() can cause oops t = ip_set_alloc(htable_size(htable_bits)); if (!t) { ret = -ENOMEM; goto out; } t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); Increased htable_bits can force htable_size() to return 0. In own turn ip_set_alloc(0) returns not 0 but ZERO_SIZE_PTR, so follwoing access to t->hregion should trigger an OOPS. Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Acked-by: N Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

netfilter: ipset: fixes possible oops in mtype_resize
stable inclusion from stable-5.10.9 commit cc77e4a020aa308265a67ed4cb3188100a1787a0 bugzilla: 47457 -------------------------------- [ Upstream commit 2b33d6ff ] currently mtype_resize() can cause oops t = ip_set_alloc(htable_size(htable_bits)); if (!t) { ret = -ENOMEM; goto out; } t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); Increased htable_bits can force htable_size() to return 0. In own turn ip_set_alloc(0) returns not 0 but ZERO_SIZE_PTR, so follwoing access to t->hregion should trigger an OOPS. Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Acked-by: N Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
5e65ff1a · Vasily Averin · Zheng Zengkai · 52e88e72 · 5e65ff1a
隐藏空白更改
内联并排

Showing with 13 addition and 9 deletion

net/netfilter/ipset/ip_set_hash_gen.h net/netfilter/ipset/ip_set_hash_gen.h +13 -9

未找到文件。
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -630,7 +630,7 @@ mtype_resize(struct ip_set *set, bool retried)
 	struct htype *h = set->data;
 	struct htable *t, *orig;
 	u8 htable_bits;
-	size_t dsize = set->dsize;
+	size_t hsize, dsize = set->dsize;
 #ifdef IP_SET_HASH_WITH_NETS
 	u8 flags;
 	struct mtype_elem *tmp;
@@ -654,14 +654,12 @@ mtype_resize(struct ip_set *set, bool retried)
 retry:
 	ret = 0;
 	htable_bits++;
-	if (!htable_bits) {
-		/* In case we have plenty of memory :-) */
-		pr_warn("Cannot increase the hashsize of set %s further\n",
-			set->name);
-		ret = -IPSET_ERR_HASH_FULL;
-		goto out;
-	}
-	t = ip_set_alloc(htable_size(htable_bits));
+	if (!htable_bits)
+		goto hbwarn;
+	hsize = htable_size(htable_bits);
+	if (!hsize)
+		goto hbwarn;
+	t = ip_set_alloc(hsize);
 	if (!t) {
 		ret = -ENOMEM;
 		goto out;
@@ -803,6 +801,12 @@ mtype_resize(struct ip_set *set, bool retried)
 	if (ret == -EAGAIN)
 		goto retry;
 	goto out;
+
+hbwarn:
+	/* In case we have plenty of memory :-) */
+	pr_warn("Cannot increase the hashsize of set %s further\n", set->name);
+	ret = -IPSET_ERR_HASH_FULL;
+	goto out;
 }

 /* Get the current number of elements and ext_size in the set  */