diff options
| author | Florian Westphal <fw@strlen.de> | 2016-03-22 18:02:52 +0100 |
|---|---|---|
| committer | Simon Shields <keepcalm444@gmail.com> | 2016-05-06 22:56:33 +1000 |
| commit | e4941d685b43583bda1d8cc2c8a9662492adcedb (patch) | |
| tree | 3012d88db260ad380762b682acd56f200a7fc32d /net/tipc | |
| parent | b8be5e6f4034e82c271939333b7314ba27c3085e (diff) | |
| download | kernel_samsung_smdk4412-e4941d685b43583bda1d8cc2c8a9662492adcedb.zip kernel_samsung_smdk4412-e4941d685b43583bda1d8cc2c8a9662492adcedb.tar.gz kernel_samsung_smdk4412-e4941d685b43583bda1d8cc2c8a9662492adcedb.tar.bz2 | |
netfilter: x_tables: fix unconditional helper
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.
However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.
However, an unconditional rule must also not be using any matches
(no -m args).
The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.
Unify this so that all the callers have same idea of 'unconditional rule'.
Change-Id: I82cf878cc77aa1b65ce492c8f12bd5c93a4d084e
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/tipc')
0 files changed, 0 insertions, 0 deletions