Comment 0 for bug 1555353

[From ]

A recent refactoring cof this codepath ( introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.

More specifically, the overflow may have been introduced in ; specifically the bit:

  + size_t sz = sizeof(*info) + size;

(where size is an unsigned int passed from userspace).

This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int).