diff mbox

[xt-addons] xt_psd: avoid crash due to curr->next corruption

Message ID

1334751208-10387-1-git-send-email-fw@strlen.de

State

Not Applicable

Headers

show

From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH xt-addons] xt_psd: avoid crash due to curr->next corruption
Date: Wed, 18 Apr 2012 14:13:28 +0200
Message-Id: <1334751208-10387-1-git-send-email-fw@strlen.de>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Florian Westphal April 18, 2012, 12:13 p.m. UTC

curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
---
 extensions/xt_psd.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Comments

Jan Engelhardt April 18, 2012, 12:30 p.m. UTC | #1

On Wednesday 2012-04-18 14:13, Florian Westphal wrote:

>curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
>conditions we wrote past end of array, corrupting ->next pointer
>of the adjacent host entry.

Processed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff mbox

Patch

diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index 46b2831..acb5e8e 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@  xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 				goto out_match;
 
 			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
+			if (curr->count < ARRAY_SIZE(curr->ports)) {
 				curr->ports[curr->count].number = dest_port;
 				curr->ports[curr->count].proto = proto;
 				curr->ports[curr->count].and_flags = tcp_flags;