diff options
| author | Xin Long <lucien.xin@gmail.com> | 2021-10-12 15:18:13 +0300 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-10-15 00:08:35 +0300 |
| commit | a482c5e00a9b5a194085bcd372ac36141028becb (patch) | |
| tree | 7ca2d48dc5124057f5d15227ed44cc6ff361da30 /net/netfilter/nft_payload.c | |
| parent | 465f15a6d1a8f51f7e09fba12678b39031f63ca9 (diff) | |
| download | linux-a482c5e00a9b5a194085bcd372ac36141028becb.tar.xz | |
netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer()
only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to.
The access by ((const struct rt0_hdr *)rh)->reserved will overflow
the buffer. So this access should be moved below the 2nd call to
skb_header_pointer().
Besides, after the 2nd skb_header_pointer(), its return value should
also be checked, othersize, *rp may cause null-pointer-ref.
v1->v2:
- clean up some old debugging log.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_payload.c')
0 files changed, 0 insertions, 0 deletions