summaryrefslogtreecommitdiffstats
path: root/block/ioctl.c
diff options
context:
space:
mode:
authorXin Long <lucien.xin@gmail.com>2021-10-12 08:18:13 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2021-10-14 23:08:35 +0200
commita482c5e00a9b5a194085bcd372ac36141028becb (patch)
tree7ca2d48dc5124057f5d15227ed44cc6ff361da30 /block/ioctl.c
parent465f15a6d1a8f51f7e09fba12678b39031f63ca9 (diff)
downloadlinux-a482c5e00a9b5a194085bcd372ac36141028becb.tar.bz2
netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer() only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to. The access by ((const struct rt0_hdr *)rh)->reserved will overflow the buffer. So this access should be moved below the 2nd call to skb_header_pointer(). Besides, after the 2nd skb_header_pointer(), its return value should also be checked, othersize, *rp may cause null-pointer-ref. v1->v2: - clean up some old debugging log. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'block/ioctl.c')
0 files changed, 0 insertions, 0 deletions