Message ID | 1334751208-10387-1-git-send-email-fw@strlen.de |
---|---|
State | Not Applicable |
Headers | show |
On Wednesday 2012-04-18 14:13, Florian Westphal wrote: >curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain >conditions we wrote past end of array, corrupting ->next pointer >of the adjacent host entry. Processed. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 46b2831..acb5e8e 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) goto out_match; /* Remember the new port */ - if (curr->count < SCAN_MAX_COUNT) { + if (curr->count < ARRAY_SIZE(curr->ports)) { curr->ports[curr->count].number = dest_port; curr->ports[curr->count].proto = proto; curr->ports[curr->count].and_flags = tcp_flags;