1 files changed, 7 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 847068fd3367..74ff56c322f4 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len)
        if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
                return -EFAULT;
+        /* overflow check */
+        if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES)
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+                return -ENOMEM;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
                return -ENOMEM;

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 847068fd3367..74ff56c322f4 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len)
978	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)	978	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
979	return -EFAULT;	979	return -EFAULT;
980		980
		981	/* overflow check */
		982	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
		983	SMP_CACHE_BYTES)
		984	return -ENOMEM;
		985	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
		986	return -ENOMEM;
		987
981	newinfo = xt_alloc_table_info(tmp.size);	988	newinfo = xt_alloc_table_info(tmp.size);
982	if (!newinfo)	989	if (!newinfo)
983	return -ENOMEM;	990	return -ENOMEM;