netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 - linux-dev - Linux kernel development work

diff options

author	Xin Long <lucien.xin@gmail.com>	2021-10-12 08:18:13 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-10-14 23:08:35 +0200
commit	a482c5e00a9b5a194085bcd372ac36141028becb (patch)
tree	7ca2d48dc5124057f5d15227ed44cc6ff361da30 /tools/perf/scripts/python/export-to-postgresql.py
parent	selftests: nft_nat: add udp hole punch test case (diff)
download	linux-dev-a482c5e00a9b5a194085bcd372ac36141028becb.tar.xz linux-dev-a482c5e00a9b5a194085bcd372ac36141028becb.zip

netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6

In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer() only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to. The access by ((const struct rt0_hdr *)rh)->reserved will overflow the buffer. So this access should be moved below the 2nd call to skb_header_pointer(). Besides, after the 2nd skb_header_pointer(), its return value should also be checked, othersize, *rp may cause null-pointer-ref. v1->v2: - clean up some old debugging log. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools/perf/scripts/python/export-to-postgresql.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: