From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 05/05]: ebtables: don't compute gap before checking struct type
Date: Thu, 4 Jan 2007 19:38:27 +0100 (MET) [thread overview]
Message-ID: <20070104183827.18369.42643.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070104183820.18369.3658.sendpatchset@localhost.localdomain>
[NETFILTER]: ebtables: don't compute gap before checking struct type
We cannot compute the gap until we know we have a 'struct ebt_entry' and
not 'struct ebt_entries'. Failure to check can cause crash.
Tested-by: Santiago Garcia Mantinan <manty@manty.net>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5a6aa046d38ffffa96ee2c6cbba0ea7fa405abdf
tree d7215dd5b39707affd4ce0e70d313335ffd85611
parent 36263425185d6993ca8af49ad6e7d1af66846d9c
author Chuck Ebbert <76306.1226@compuserve.com> Thu, 04 Jan 2007 19:28:53 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:28:53 +0100
net/bridge/netfilter/ebtables.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bee558a..6c84ccb 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -610,7 +610,7 @@ ebt_check_entry(struct ebt_entry *e, str
struct ebt_entry_target *t;
struct ebt_target *target;
unsigned int i, j, hook = 0, hookmask = 0;
- size_t gap = e->next_offset - e->target_offset;
+ size_t gap;
int ret;
/* don't mess with the struct ebt_entries */
@@ -660,6 +660,7 @@ ebt_check_entry(struct ebt_entry *e, str
if (ret != 0)
goto cleanup_watchers;
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
+ gap = e->next_offset - e->target_offset;
target = find_target_lock(t->u.name, &ret, &ebt_mutex);
if (!target)
goto cleanup_watchers;
next prev parent reply other threads:[~2007-01-04 18:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-04 18:38 [NETFILTER 00/05]: Netfilter fixes Patrick McHardy
2007-01-04 18:38 ` [NETFILTER 01/05]: compat offsets size change Patrick McHardy
2007-01-04 20:14 ` David Miller
2007-01-04 18:38 ` [NETFILTER 02/05]: Fix routing of REJECT target generated packets in output chain Patrick McHardy
2007-01-04 20:15 ` David Miller
2007-01-04 18:38 ` [NETFILTER 03/05]: New connection tracking is not EXPERIMENTAL anymore Patrick McHardy
2007-01-04 20:16 ` David Miller
2007-01-04 18:38 ` [NETFILTER 04/05]: nf_nat: fix MASQUERADE crash on device down Patrick McHardy
2007-01-04 20:17 ` David Miller
2007-01-04 18:38 ` Patrick McHardy [this message]
2007-01-04 20:18 ` [NETFILTER 05/05]: ebtables: don't compute gap before checking struct type David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070104183827.18369.42643.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).