tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()

Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.

rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
Validate addrnr during rule installation so malformed rules are rejected
before the match logic can use an out-of-range value.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Ren Wei and committed by
Pablo Neira Ayuso 9d3f0273 52025eba

+4
+4
net/ipv6/netfilter/ip6t_rt.c
··· 157 157 pr_debug("unknown flags %X\n", rtinfo->invflags); 158 158 return -EINVAL; 159 159 } 160 + if (rtinfo->addrnr > IP6T_RT_HOPS) { 161 + pr_debug("too many addresses specified\n"); 162 + return -EINVAL; 163 + } 160 164 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && 161 165 (!(rtinfo->flags & IP6T_RT_TYP) || 162 166 (rtinfo->rt_type != 0) ||