1 files changed, 7 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 00729b3604f8..cbd4020cc84d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len)
                BUGPRINT("Entries_size never zero\n");
                return -EINVAL;
        }
+        /* overflow check */
+        if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+                return -ENOMEM;
        countersize = COUNTER_OFFSET(tmp.nentries) * 
                                        (highest_possible_processor_id()+1);
        newinfo = (struct ebt_table_info *)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 00729b3604f8..cbd4020cc84d 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c
@@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len)
934	BUGPRINT("Entries_size never zero\n");	934	BUGPRINT("Entries_size never zero\n");
935	return -EINVAL;	935	return -EINVAL;
936	}	936	}
		937	/* overflow check */
		938	if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
		939	SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
		940	return -ENOMEM;
		941	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
		942	return -ENOMEM;
		943
937	countersize = COUNTER_OFFSET(tmp.nentries) *	944	countersize = COUNTER_OFFSET(tmp.nentries) *
938	(highest_possible_processor_id()+1);	945	(highest_possible_processor_id()+1);
939	newinfo = (struct ebt_table_info *)	946	newinfo = (struct ebt_table_info *)