[3.16.y-ckt stable] Patch "netfilter: nf_tables: check for overflow of rule dlen field" has been added to staging queue

[Luis Henriques]

This is a note to let you know that I have just added a patch titled

    netfilter: nf_tables: check for overflow of rule dlen field

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt12.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 588ef6ecb5b19b0d864ff415b7a64cd173ba6577 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber at trash.net>
Date: Tue, 3 Mar 2015 20:04:19 +0000
Subject: netfilter: nf_tables: check for overflow of rule dlen field

commit 9889840f5988ecfd43b00c9abb83c1804e21406b upstream.

Check that the space required for the expressions doesn't exceed the
size of the dlen field, which would lead to the iterators crashing.

Signed-off-by: Patrick McHardy <kaber at trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/netfilter/nf_tables_api.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e8624c751ec6..41abb8281a4c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1794,6 +1794,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 			n++;
 		}
 	}
+	/* Check for overflow of dlen field */
+	err = -EFBIG;
+	if (size >= 1 << 12)
+		goto err1;

 	if (nla[NFTA_RULE_USERDATA])
 		ulen = nla_len(nla[NFTA_RULE_USERDATA]);