From patchwork Wed Apr 18 12:13:28 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [xt-addons] xt_psd: avoid crash due to curr->next corruption
Date: Wed, 18 Apr 2012 02:13:28 -0000
From: Florian Westphal <fw@strlen.de>
X-Patchwork-Id: 153483
Message-Id: <1334751208-10387-1-git-send-email-fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>

curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>

---
extensions/xt_psd.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index 46b2831..acb5e8e 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 				goto out_match;
 
 			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
+			if (curr->count < ARRAY_SIZE(curr->ports)) {
 				curr->ports[curr->count].number = dest_port;
 				curr->ports[curr->count].proto = proto;
 				curr->ports[curr->count].and_flags = tcp_flags;