Patchwork [xt-addons] xt_psd: avoid crash due to curr->next corruption

login
register
mail settings
Submitter Florian Westphal
Date April 18, 2012, 12:13 p.m.
Message ID <1334751208-10387-1-git-send-email-fw@strlen.de>
Download mbox | patch
Permalink /patch/153483/
State Not Applicable
Headers show

Comments

Florian Westphal - April 18, 2012, 12:13 p.m.
curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
---
 extensions/xt_psd.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Jan Engelhardt - April 18, 2012, 12:30 p.m.
On Wednesday 2012-04-18 14:13, Florian Westphal wrote:

>curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
>conditions we wrote past end of array, corrupting ->next pointer
>of the adjacent host entry.

Processed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index 46b2831..acb5e8e 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@  xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 				goto out_match;
 
 			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
+			if (curr->count < ARRAY_SIZE(curr->ports)) {
 				curr->ports[curr->count].number = dest_port;
 				curr->ports[curr->count].proto = proto;
 				curr->ports[curr->count].and_flags = tcp_flags;