Commit 1756de26 authored by Florian Westphal's avatar Florian Westphal Committed by Patrick McHardy

netfilter: ebtables: abort if next_offset is too small

next_offset must be > 0, otherwise this loops forever.
The offset also contains the size of the ebt_entry structure
itself, so anything smaller is invalid.
Signed-off-by: default avatarFlorian Westphal <fwestphal@astaro.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent ef00f89f
...@@ -444,6 +444,8 @@ static int ebt_verify_pointers(const struct ebt_replace *repl, ...@@ -444,6 +444,8 @@ static int ebt_verify_pointers(const struct ebt_replace *repl,
break; break;
if (left < e->next_offset) if (left < e->next_offset)
break; break;
if (e->next_offset < sizeof(struct ebt_entry))
return -EINVAL;
offset += e->next_offset; offset += e->next_offset;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment